Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 652D8200C3B for ; Fri, 3 Mar 2017 11:07:14 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 61F5E160B57; Fri, 3 Mar 2017 10:07:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8DE8F160B6D for ; Fri, 3 Mar 2017 11:07:13 +0100 (CET) Received: (qmail 63542 invoked by uid 500); 3 Mar 2017 10:07:12 -0000 Mailing-List: contact commits-help@syncope.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@syncope.apache.org Delivered-To: mailing list commits@syncope.apache.org Received: (qmail 63487 invoked by uid 99); 3 Mar 2017 10:07:12 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Mar 2017 10:07:12 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 8DF4FDFE1E; Fri, 3 Mar 2017 10:07:12 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: ilgrosso@apache.org To: commits@syncope.apache.org Date: Fri, 03 Mar 2017 10:07:13 -0000 Message-Id: <8ef76fa6753b419fb46d6138ee989aba@git.apache.org> In-Reply-To: <8e6e60a97186471aae682c6af80dfeb5@git.apache.org> References: <8e6e60a97186471aae682c6af80dfeb5@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/2] syncope git commit: [SYNCOPE-1035] Some documentation archived-at: Fri, 03 Mar 2017 10:07:14 -0000 [SYNCOPE-1035] Some documentation Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/52badc4b Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/52badc4b Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/52badc4b Branch: refs/heads/master Commit: 52badc4b9e8afa4b5042ba19c19e570c926dad88 Parents: 7004b84 Author: Francesco Chicchiriccò Authored: Fri Mar 3 11:06:24 2017 +0100 Committer: Francesco Chicchiriccò Committed: Fri Mar 3 11:07:03 2017 +0100 ---------------------------------------------------------------------- pom.xml | 4 +- .../concepts/usersgroupsandanyobjects.adoc | 4 +- .../restfulservices.adoc | 44 +++++++++++++++++++- .../configurationparameters.adoc | 2 + 4 files changed, 48 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index f1ae83a..6743c70 100644 --- a/pom.xml +++ b/pom.xml @@ -2061,8 +2061,8 @@ under the License. http://fasterxml.github.io/jackson-dataformat-xml/javadoc/2.8/ http://fasterxml.github.io/jackson-dataformat-yaml/javadoc/2.8/ http://fasterxml.github.io/jackson-datatype-joda/javadoc/2.8/ - http://camel.apache.org/maven/current/camel-core/apidocs/ - http://camel.apache.org/maven/current/camel-spring/apidocs/ + http://www.javadoc.io/doc/org.apache.camel/camel-core/2.17.5 + http://www.javadoc.io/doc/org.apache.camel/camel-spring/2.17.5 https://ci.apache.org/projects/wicket/apidocs/7.x/ https://commons.apache.org/proper/commons-lang/javadocs/api-release/ https://commons.apache.org/proper/commons-io/javadocs/api-2.5/ http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc index a9aa2f9..09e9a3b 100644 --- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc +++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc @@ -114,8 +114,8 @@ The usage of security questions can be however disabled by setting the `password [[password-reset-no-security-answer]] [WARNING] ==== -Once provided via Enduser UI, the answers to security questions are *never* reported, neither via REST or Admin UI to -administrators, nor to end-users via Enduser UI. +Once provided via Enduser Application, the answers to security questions are *never* reported, neither via REST or Admin UI to +administrators, nor to end-users via Enduser Application. This to avoid any information disclosure which can potentially lead attackers to reset other users' passwords. ==== http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc index 7adacd6..d52cc8e 100644 --- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc +++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc @@ -44,14 +44,54 @@ where `protocol`, `host` and `port` reflect your Java EE container installation. [TIP] The <> might also help greatly when working with RESTful services. +==== REST Authentication and Authorization + +The <> authentication and authorization is based on http://projects.spring.io/spring-security/[Spring Security^]. + +As an initial step, authentication is required to obtain, in the `X-Syncope-Token` HTTP header, the +unique signed https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^] to include in all subsequent requests. + +By providing the token received in the initial exchange, the requester can be identified and checked for authorization, +based on owned <>. + +[NOTE] +Users can examine their own entitlements looking at the `<>` +header value. + +[TIP] +==== +The relevant security configuration lies in +ifeval::["{snapshotOrRelease}" == "release"] +https://github.com/apache/syncope/blob/syncope-{docVersion}/core/spring/src/main/resources/securityContext.xml[securityContext.xml^]; +endif::[] +ifeval::["{snapshotOrRelease}" == "snapshot"] +https://github.com/apache/syncope/blob/master/core/spring/src/main/resources/securityContext.xml[securityContext.xml^]; +endif::[] +while normally not needed, this configuration can be anyway customized via the <>. + +https://en.wikipedia.org/wiki/Basic_access_authentication[HTTP Basic Authentication] is set for use by default. +==== + ==== REST Headers -Apache Syncope supports a number of HTTP headers as detailed below, in addition -to the common HTTP headers such as `Accept`, `Content-Type`, etc. +Apache Syncope supports a number of HTTP headers as detailed below, in addition to the common HTTP headers such as +`Accept`, `Content-Type`, etc. [TIP] It is possible to deal with the headers below when using the <> via the `SyncopeClient` class methods. +===== X-Syncope-Token + +`X-Syncope-Token` is returned on response to <>, and +contains the unique signed https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^] identifying the authenticated +user. + +The same header with provided value must be included in all subsequent requests, in order for the requester to +be checked for authorization. + +The token duration can be configured via the `jwt.lifetime.minutes` property - see +<> for details. + ===== X-Syncope-Domain `X-Syncope-Domain` can be optionally set for requests (when not set, `Master` is assumed) to select the target http://git-wip-us.apache.org/repos/asf/syncope/blob/52badc4b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc index d9550f6..fa70c8d 100644 --- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc +++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc @@ -25,6 +25,8 @@ barely invoking the REST layer through http://curl.haxx.se/[curl^]: * `password.cipher.algorithm` - which cipher algorithm shall be used for encrypting password values; supported algorithms include `SHA-1`, `SHA-256`, `SHA-512`, `AES`, `S-MD5`, `S-SHA-1`, `S-SHA-256`, `S-SHA-512` and `BCRYPT`; salting options are available in the `security.properties` file; +* `jwt.lifetime.minutes` - validity of https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^] values used for +<> (in minutes); * `notificationjob.cronExpression` - http://www.quartz-scheduler.org/documentation/quartz-2.2.x/tutorials/crontrigger.html[cron^] expression describing how frequently the pending <> are processed: empty means disabled;