I currently use WSO2is 5.9, but I want to be more thorough, when creating rules of access to resources of my web application, limit the action to a certain button within my application for example.
I have read the documentation of WSO2is and other resources, everything guides me that I must use XACML to apply such restrictions within my application.
Is there another alternative to XACML? I see a very high complexity in using this proposal.
For now in OIC claims I get the role but I don't see how to limit to functionality.
You can use adaptive authentication scripts also for having some access control in the service provider level instead of using XACML. Please refer to this documentation on Adaptive Authentication script.https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication/https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication/
For example, if you want to have some role-based access control, you can use the adaptive script by referring here: https://is.docs.wso2.com/en/5.9.0/learn/configuring-role-based-adaptive-authentication/.
There are some pre-default scenarion, and you can refer them as well. https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication-scenarios/
Related
https://consumerdatastandardsaustralia.github.io/standards/#security-profile
I am trying to setup AWS Cognito as an OIDC provider. Able to create User pool however there are lots of custom data needed. Such as ".well-known/openid-configuration" of Cognito returns few details but missing introspection_endpoint, revocation_endpoint, claims_supported etc.
Similary, customization of /authorize endpoint with additional claims is needed.
Any help or suggestions would be really helpful.
Regards & Thanks
Claims can be somewhat customised with a lambda: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
introspection_endpoint and revocation_endpoint are not core oauth and are extensions. I have found Cognito does not generally implement extensions, there are many parts of oauth2 core not implemented also.
Cognito is missing many many features you may expect to get out of the box, there is a seemingly large and opaque backlog which support constantly reference when you point out that a standard feature is missing.
no silent refresh capability in the hosted UI, so no safe way to store the refresh token.
no support for custom auth flow in the hosted UI
no passwordless support in the hosted UI
no ability to pre-populate a field in the hosted UI (e.g. username)
no ability to customise the plethora of obscure error messages in the custom UI
fixed now, but for years the email addresses were case sensitive!
If you choose not to use the hosted UI there is no way to get any oauth scopes.
There are many non-oauth cognito idp calls that you may be able to use with the access token: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/index.html
If these don't fit your needs, I would suggest you consider other auth services, or adjust your expectations if you choose to move forward with Cognito. Good luck!
Is it possible to create a google cloud project without using the console?
I am building a platform where I would like the user to login (say with Google credentials) and once authenticated, the platform should have the ability to create a project in the users account (by virtue of the authentication) via the platform's interface.
If it is possible, can someone provide general directions or approach how this could work. Thanks.
Technically it's possible, as GCP console is calling APIs to their servers to perform server creation, destroy and other actions
I would think of a few steps to achieve it if you want to do it by your own:
1. Choose the API type, e.g. GCloud, Java, Go or any others
2. Scoping what kind of functions you want to expose to users
3. Build the new UI
In fact, you can achieve this by assigning proper IAM role, unless you want to build your own whilte-labeling wrapper
I was wondering what could be a standard way to do access control for some private online services which are hosted on the cloud?
Basically, the service on the cloud is a MapProxy, which itself does not support much authentication methods. Therefore, I was thinking to build a proxy in front of that Map Proxy to do some connection handling. We have decided to use cookies as a way of authentication, and now what is a standard way to do authorization?
Is there any well-documented library could help to build a connection handler for authorization ?
It all depends on what you mean with authorization. If your goal is to define true access control logic e.g.:
a user can call this method of my API if the user role is manager and the user location is the same as the location of the document requested in the API,
then you can use XACML, the eXtensible Access Control Markup Language. I have already replied to a similar question here: RESTFul API endpoint design with filtering and authorization and https://stackoverflow.com/questions/24514711/authorization-framework-in-a-java-web-application/24526891#24526891
To implement ABAC, you will need XACML, the eXtensible Access Control Markup Language. It's an OASIS standard (the same body behind SAML and many other standards). XACML defines:
a policy language to express the authorization requirements above
a request/response scheme to query the authorization e.g. "Can Alice view document d?"
an architecture which defines standard components such as the policy decision point (PDP) and the policy enforcement point (PEP). The latter protects your app and sends the authorization question to the PDP.
When to choose XACML (and ABAC) over other frameworks e.g. Spring Security (and RBAC)? If you have relationships between your users and your data (e.g. ownership, doctor-patient, team leader - team member...), then XACML is for you. If you have many different apps in different languages (Python, Java, .NET, Ruby...) then XACML is for you. XACML is technology-agnostic so it makes it easier to reuse across all your apps.
There are several frameworks that provide you with XACML. Some are vendor-based such as Axiomatics (where I work). Others are open-source such as SunXACML or Heras AF.
HTH,
David.
I am working on a salesforce feature, where we are trying to expose a single web Service method in a custom class to a "Partner" so they can generate leads.
The class/method has been created/tested and functions as expects, so we are working on implementation.
I have been poring over all of Salesforce's Web Service documentation and cookbook recipes, but everything I see only talks about using either the Enterprise or Partner WSDL files, which would give them more access then I believe should be required.
If I import the WSDL file that is generated off the class itself, I have access to the methods, but I can't seem to find any way to log in (using their examples as reference).
I have 2 basic questions here.
Do I really need to give full access to my instance to expose a single method?
What is the bare minimum I need to provide?
The WSDL itself is just a definition of the web service and does not control actual access to your org. To get access to your org, a session id must be included in each request to the web service. Session ids are tied to a given user in your org, so you can also control what they can access by giving them their own profile and locking down access to only what they need to get to. The profiles are associated with objects/fields, not the web services themselves, think about what they will need to access in terms of data, because they could always use that same session to access other web services. There are also Apex class-level access controls on the profile, but this doesn't stop them from doing the same data operations through the SOAP APIs, so make sure you have their profile only expose what they need access to and that will be enforced everywhere.
As far as obtaining the session id, it somewhat depends on how you are interfacing with them and what their application is like. In general, the recommended way is to use OAuth (called "Remote Access" in Salesforce Help), which will make it so usernames and passwords don't have to be used in their application, but are rather sent directly to Salesforce by the end user. There are a few different flows to choose from depending on the app and are explained in Help. The REST API doc has a nice intro to using OAuht to get the session id (aka "token" in OAuth). Speaking of REST, you might even consider using the new Apex REST API, which allows you to make similar custom web services from Apex, but with REST interfaces.
The Partner and Enterprise APIs also have a login() method, which is convenient since it is also SOAP-based, but is losing favor because the app has to directly handle the username and password. If you do this option, you would login with either the Partner and Enterprise API, get the session id, and then switch over to your custom web service. So, yes, for this option you would have to consume both your WSDL and either the Partner or Enterprise WSDL, and just ignore the other methods, but again, the methods just being there does not mean they can access them (e.g. if you remove Delete from their profile for a given object type, they would not be able to use the delete() method for it).
What you provide, and what they can do are 2 separate things, if you give them a users credentials, then they can do anything the user can do regardless of which WSDL they use. So you'll want to create a user with restricted permissions that has the bare minimum rights to do what you want.
Once you've got that, it doesn't matter if you give them the enterprise, partner or a custom WSDL.
If you give them the apex class WSDL, then they'll need some way to login, which could be login from the partner WSDL, one of the OAuth2 flows, or a webtab or custom link. (depending on the exact scenario).
Finally, have you seen the web2lead feature, that allows for leads to be created in your salesforce account without needing a WSDL or credentials.
I have created a Web service using Netbeans', JEE6 and Jersey - Webservice from Database feature.
So my webservices can be accessed at: http://localhost:8080/SampleWS/listOfItems
The above returns a list of items present in my DataBase. I am using RESTKit on iOS as a client to access this resource.
However, there are two things i would like to do:
1) I would like to restrict access to the above resource only to authenticated users. What is the way to do that?
2) I would also like to restrict only selected out of authorized users to invoke DELETE, PUT and CREATE commands.
Finally, NetBeans allows me to create WS from Database, entities and pattern. Can someone point me to a tutorial for creating a RESTfulwithout using any of the above? In other words, and for example, i would like to map GET, PUT/DELETE methods to mathematical functions like addition, multiplication etc.
You don't mention which app server your deploying to. I assume GlassFish?
I haven't implemented this myself, but I believe Marc Hadleys blog post describes how to configure an application to cover your requirements 1) and 2):
http://weblogs.java.net/blog/mhadley/archive/2008/03/authentication.html
If you're using Spring you might also want to consider using spring-security instead, as described in this answer:
User authentication on a Jersey REST service