[Yanel-dev] Loading of users and groups as XML
Michael Wechner
michael.wechner at wyona.com
Thu Feb 11 11:01:04 CET 2010
Michael Wechner wrote:
> Hi
>
> The PolicyManager resource
>
> src/contributions/resources/policymanager/src/java/org/wyona/yanel/impl/resources/policymanager/PolicyManagerResource.java
>
>
> is loading users and groups via the following query string
>
> /foo/bar?yanel.policy=update&get=identities
>
> which then is handled by the YanelServlet#doAccessPolicyRequest()
>
> first, but then forwarded again to the PolicyManager resource
>
> if (getXML != null && getXML.equals("identities")) {
> sb.append(getIdentitiesAndRightsAsXML(getRealm().getIdentityManager(),
> getRealm().getPolicyManager(), get
> RequestedLanguage()));
>
> Now I would like to re-use this for editing users and groups, but it
> seems to me that the main purpose of the policy manager
> resource is to manage policies and not users and groups and hence I
> think we should re-factor this by introducing a IdentityManagerResource.
>
> WDYT?
I think one issue to consider is access control, because the URL will be
something like
/yanel/REALM_ID/RESERVED_YANEL_PREFIX/identities.xml
and people need to make sure to protect this! And we need to catch this
within the PolicyEditor in case it should
be protected!
One idea re such loopholes is that Yanel is protecting this by default
and only allows access if there exists a policy explicitely.
WDYT?
Thanks
Michi
>
> Thanks
>
> Michi
>
>
More information about the Yanel-development
mailing list