syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [2/2] syncope git commit: [SYNCOPE-1035] Some documentation
Date Fri, 03 Mar 2017 10:07:13 GMT
[SYNCOPE-1035] Some documentation


Branch: refs/heads/master
Commit: 52badc4b9e8afa4b5042ba19c19e570c926dad88
Parents: 7004b84
Author: Francesco Chicchiriccò <>
Authored: Fri Mar 3 11:06:24 2017 +0100
Committer: Francesco Chicchiriccò <>
Committed: Fri Mar 3 11:07:03 2017 +0100

 pom.xml                                         |  4 +-
 .../concepts/usersgroupsandanyobjects.adoc      |  4 +-
 .../restfulservices.adoc                        | 44 +++++++++++++++++++-
 .../configurationparameters.adoc                |  2 +
 4 files changed, 48 insertions(+), 6 deletions(-)
diff --git a/pom.xml b/pom.xml
index f1ae83a..6743c70 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2061,8 +2061,8 @@ under the License.
-                      <link></link>
-                      <link></link>
+                      <link></link>
+                      <link></link>
diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
index a9aa2f9..09e9a3b 100644
--- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
@@ -114,8 +114,8 @@ The usage of security questions can be however disabled by setting the
-Once provided via Enduser UI, the answers to security questions are *never* reported, neither
via REST or Admin UI to
-administrators, nor to end-users via Enduser UI.
+Once provided via Enduser Application, the answers to security questions are *never* reported,
neither via REST or Admin UI to
+administrators, nor to end-users via Enduser Application.
 This to avoid any information disclosure which can potentially lead attackers to reset other
users' passwords.
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index 7adacd6..d52cc8e 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -44,14 +44,54 @@ where `protocol`, `host` and `port` reflect your Java EE container installation.
 The <<swagger,Swagger extension>> might also help greatly when working with RESTful
+==== REST Authentication and Authorization
+The <<core>> authentication and authorization is based on[Spring
+As an initial step, authentication is required to obtain, in the `X-Syncope-Token` HTTP header,
+unique signed[JSON Web Token^] to include in
all subsequent requests.
+By providing the token received in the initial exchange, the requester can be identified
and checked for authorization,
+based on owned <<entitlements,entitlements>>.
+Users can examine their own entitlements looking at the `<<x-syncope-entitlements,X-Syncope-Entitlements>>`
+header value.
+The relevant security configuration lies in
+ifeval::["{snapshotOrRelease}" == "release"]
+ifeval::["{snapshotOrRelease}" == "snapshot"]
+while normally not needed, this configuration can be anyway customized via the <<override-behavior,override
+[HTTP Basic Authentication] is set
for use by default.
 ==== REST Headers
-Apache Syncope supports a number of HTTP headers as detailed below, in addition
-to the common HTTP headers such as `Accept`, `Content-Type`, etc.
+Apache Syncope supports a number of HTTP headers as detailed below, in addition to the common
HTTP headers such as
+`Accept`, `Content-Type`, etc.
 It is possible to deal with the headers below when using the <<client-library>>
via the `SyncopeClient` class methods.
+===== X-Syncope-Token
+`X-Syncope-Token` is returned on response to <<rest-authentication-and-authorization,successful
authentication>>, and
+contains the unique signed[JSON Web Token^]
identifying the authenticated
+The same header with provided value must be included in all subsequent requests, in order
for the requester to
+be checked for authorization.
+The token duration can be configured via the `jwt.lifetime.minutes` property - see
+<<configuration-parameters, below>> for details.
 ===== X-Syncope-Domain
 `X-Syncope-Domain` can be optionally set for requests (when not set, `Master` is assumed)
to select the target
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
index d9550f6..fa70c8d 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
@@ -25,6 +25,8 @@ barely invoking the REST layer through[curl^]:
 * `password.cipher.algorithm` - which cipher algorithm shall be used for encrypting password
values; supported 
 algorithms include `SHA-1`, `SHA-256`, `SHA-512`, `AES`, `S-MD5`, `S-SHA-1`, `S-SHA-256`,
`S-SHA-512` and `BCRYPT`;
 salting options are available in the `` file;
+* `jwt.lifetime.minutes` - validity of[JSON
Web Token^] values used for
+<<rest-authentication-and-authorization,authentication>> (in minutes);
 * `notificationjob.cronExpression` -[cron^]
expression describing how
 frequently the pending <<tasks-notification,notification tasks>> are processed:
empty means disabled;

View raw message