syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [2/2] syncope git commit: [SYNCOPE-1035] Some documentation
Date Fri, 03 Mar 2017 10:07:13 GMT
[SYNCOPE-1035] Some documentation


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/52badc4b
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/52badc4b
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/52badc4b

Branch: refs/heads/master
Commit: 52badc4b9e8afa4b5042ba19c19e570c926dad88
Parents: 7004b84
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Fri Mar 3 11:06:24 2017 +0100
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Fri Mar 3 11:07:03 2017 +0100

----------------------------------------------------------------------
 pom.xml                                         |  4 +-
 .../concepts/usersgroupsandanyobjects.adoc      |  4 +-
 .../restfulservices.adoc                        | 44 +++++++++++++++++++-
 .../configurationparameters.adoc                |  2 +
 4 files changed, 48 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index f1ae83a..6743c70 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2061,8 +2061,8 @@ under the License.
                       <link>http://fasterxml.github.io/jackson-dataformat-xml/javadoc/2.8/</link>
                       <link>http://fasterxml.github.io/jackson-dataformat-yaml/javadoc/2.8/</link>
                       <link>http://fasterxml.github.io/jackson-datatype-joda/javadoc/2.8/</link>
-                      <link>http://camel.apache.org/maven/current/camel-core/apidocs/</link>
-                      <link>http://camel.apache.org/maven/current/camel-spring/apidocs/</link>
+                      <link>http://www.javadoc.io/doc/org.apache.camel/camel-core/2.17.5</link>
+                      <link>http://www.javadoc.io/doc/org.apache.camel/camel-spring/2.17.5</link>
                       <link>https://ci.apache.org/projects/wicket/apidocs/7.x/</link>
                       <link>https://commons.apache.org/proper/commons-lang/javadocs/api-release/</link>
                       <link>https://commons.apache.org/proper/commons-io/javadocs/api-2.5/</link>

http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
index a9aa2f9..09e9a3b 100644
--- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
@@ -114,8 +114,8 @@ The usage of security questions can be however disabled by setting the
`password
 [[password-reset-no-security-answer]]
 [WARNING]
 ====
-Once provided via Enduser UI, the answers to security questions are *never* reported, neither
via REST or Admin UI to
-administrators, nor to end-users via Enduser UI.
+Once provided via Enduser Application, the answers to security questions are *never* reported,
neither via REST or Admin UI to
+administrators, nor to end-users via Enduser Application.
 
 This to avoid any information disclosure which can potentially lead attackers to reset other
users' passwords.
 ====

http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index 7adacd6..d52cc8e 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -44,14 +44,54 @@ where `protocol`, `host` and `port` reflect your Java EE container installation.
 [TIP]
 The <<swagger,Swagger extension>> might also help greatly when working with RESTful
services.
 
+==== REST Authentication and Authorization
+
+The <<core>> authentication and authorization is based on http://projects.spring.io/spring-security/[Spring
Security^].
+
+As an initial step, authentication is required to obtain, in the `X-Syncope-Token` HTTP header,
the
+unique signed https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^] to include in
all subsequent requests.
+
+By providing the token received in the initial exchange, the requester can be identified
and checked for authorization,
+based on owned <<entitlements,entitlements>>.
+
+[NOTE]
+Users can examine their own entitlements looking at the `<<x-syncope-entitlements,X-Syncope-Entitlements>>`
+header value.
+
+[TIP]
+====
+The relevant security configuration lies in
+ifeval::["{snapshotOrRelease}" == "release"]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/spring/src/main/resources/securityContext.xml[securityContext.xml^];
+endif::[]
+ifeval::["{snapshotOrRelease}" == "snapshot"]
+https://github.com/apache/syncope/blob/master/core/spring/src/main/resources/securityContext.xml[securityContext.xml^];
+endif::[]
+while normally not needed, this configuration can be anyway customized via the <<override-behavior,override
behavior>>.
+
+https://en.wikipedia.org/wiki/Basic_access_authentication[HTTP Basic Authentication] is set
for use by default.
+====
+
 ==== REST Headers
 
-Apache Syncope supports a number of HTTP headers as detailed below, in addition
-to the common HTTP headers such as `Accept`, `Content-Type`, etc.
+Apache Syncope supports a number of HTTP headers as detailed below, in addition to the common
HTTP headers such as
+`Accept`, `Content-Type`, etc.
 
 [TIP]
 It is possible to deal with the headers below when using the <<client-library>>
via the `SyncopeClient` class methods.
 
+===== X-Syncope-Token
+
+`X-Syncope-Token` is returned on response to <<rest-authentication-and-authorization,successful
authentication>>, and
+contains the unique signed https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^]
identifying the authenticated
+user.
+
+The same header with provided value must be included in all subsequent requests, in order
for the requester to
+be checked for authorization.
+
+The token duration can be configured via the `jwt.lifetime.minutes` property - see
+<<configuration-parameters, below>> for details.
+
 ===== X-Syncope-Domain
 
 `X-Syncope-Domain` can be optionally set for requests (when not set, `Master` is assumed)
to select the target

http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
index d9550f6..fa70c8d 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
@@ -25,6 +25,8 @@ barely invoking the REST layer through http://curl.haxx.se/[curl^]:
 * `password.cipher.algorithm` - which cipher algorithm shall be used for encrypting password
values; supported 
 algorithms include `SHA-1`, `SHA-256`, `SHA-512`, `AES`, `S-MD5`, `S-SHA-1`, `S-SHA-256`,
`S-SHA-512` and `BCRYPT`;
 salting options are available in the `security.properties` file;
+* `jwt.lifetime.minutes` - validity of https://en.wikipedia.org/wiki/JSON_Web_Token[JSON
Web Token^] values used for
+<<rest-authentication-and-authorization,authentication>> (in minutes);
 * `notificationjob.cronExpression` -
 http://www.quartz-scheduler.org/documentation/quartz-2.2.x/tutorials/crontrigger.html[cron^]
expression describing how
 frequently the pending <<tasks-notification,notification tasks>> are processed:
empty means disabled;


Mime
View raw message