You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@wink.apache.org by Michael Elman <el...@apache.org> on 2009/10/01 08:19:41 UTC
Re: Re:
Hi Duong,
Thanks for the feedback.
Regarding your questions:
1) What do you mean by a "better integrated". Is anything wrong now? I've
recently tried to run Wink with GAE and it worked fine. Except that GAE
doesn't support JAXB and a lot of Wink's functionality based on it.
What do you mean by "generic JSONP and Atom"? Wink supports JSON and Atom:
For JSON support json.org, jettison and jackson libraries can be used.
You'll need a latest snapshot to use these libraries.
Wink has internal Atom support, which is based on JAXB, so it won't function
on GAE.
2) Currently we don't have plans to add support of Guice. Would you like to
contribute it?
3) Same here: Currently we don't have plans to add support of OAuth. But
we'll be glad if it is contributed :-)
Best regards,
Michael.
On Wed, Sep 30, 2009 at 5:09 PM, Duong BaTien <du...@gmail.com>wrote:
> Hi:
> I look at Wink and will spend sometime to further explore. I wonder if
> there is some plan:
> 1) to make Wink server and client better integrated with GAE and GWT,
> especially via generic JSONP and Atom
> 2) to add Guice for DI
> 3) to add security chain for OAuth authorized resources and role-based
> Workspaces
>
> Waiting for Wink next version today or tomorrow to experiment with GAE.
>
> Duong BaTien
> DBGROUPS and BudhNet
>
> On Wed, 2009-09-30 at 07:33 -0700, Stefan Witte wrote:
> > Thanks Bryant.
> >
> > I've got it working now. I think that the problem was in the caching
> > of the browser with trying out different user id's and not enough
> > restarting of the websphere server.
> >
> > I now test it with the wink client using the "Authorization: Basic
> > c3dpdHRlOnN0ZWZhbg==" header. I wrote a WebSphereAuthorisationHandler
> > (ClientHandler) for this.
> > For optimalisation i probably have to create one that uses the
> > returned LtpaToken cookie for additional requests.
> >
> > Thanks.
> >
> >
> >
> > ______________________________________________________________________
> > From: Bryant Luk <br...@gmail.com>
> > To: wink-user@incubator.apache.org
> > Sent: Tuesday, September 29, 2009 5:01:01 AM
> > Subject: Re:
> >
> > Hi Stefan,
> >
> > Thanks for the feedback. We'll try adding a chapter specifically
> > about security to the guide soon.
> >
> > For your immediate issue, I made a simple application application to
> > test out the security using the pattern you suggested. I had a
> > resource like:
> >
> > @Path("/resource")
> > public class Resource {
> > @Context
> > javax.ws.rs.core.SecurityContext securityInfo;
> >
> > @GET
> > @Produces(MediaType.TEXT_PLAIN)
> > public String getSomething() {
> > return "Hello GET: " + security.getUserPrincipal();
> > }
> >
> > @POST
> > @Produces(MediaType.TEXT_PLAIN)
> > public String postSomething() {
> > return "Hello POST: " + security.getUserPrincipal();
> > }
> >
> > @GET
> > @Path("/{subresource}")
> > @Produces(MediaType.TEXT_PLAIN)
> > public String getGreetingSub() {
> > return "Hello GET subresource: " + security.getUserPrincipal();
> > }
> > }
> >
> > My web.xml:
> >
> > <servlet>
> > <servlet-name>HelloWorldApp</servlet-name>
> > <servlet-
> > class>org.apache.wink.server.internal.servlet.RestServlet</servlet-
> > class>
> > <init-param>
> > <param-name>javax.ws.rs.Application</param-name>
> > <param-
> > value>org.apache.wink.example.helloworld.HelloWorldApplication</param-
> > value>
> > </init-param>
> > <load-on-startup>1</load-on-startup>
> > </servlet>
> > <servlet-mapping>
> > <servlet-name>HelloWorldApp</servlet-name>
> > <url-pattern>/*</url-pattern>
> > </servlet-mapping>
> > <security-role>
> > <role-name>adminRole</role-name>
> > </security-role>
> > <security-role>
> > <role-name>readerRole</role-name>
> > </security-role>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>
> > SecuredAdmin
> > </web-resource-name>
> > <url-pattern>/resource</url-pattern>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>adminRole</role-name>
> > </auth-constraint>
> > </security-constraint>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>
> > SecuredSubresource
> > </web-resource-name>
> > <url-pattern>/resource/*</url-pattern>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>readerRole</role-name>
> > </auth-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > </login-config>
> >
> > When I loaded up the root resource at /resource in my browser, I could
> > only use a user mapped to my adminRole. When I visited
> > /resource/abcd, I could only visit the resource using a user mapped to
> > my readerRole. Did you try a pattern like the above?
> >
> > One note on the above pattern is that it restricts GETs to /resource
> > to only the adminRole users. Generally /resource collection like URLs
> > (if it is indeed a collection) are readable by the same users as those
> > that can read /resource/<anything underneath>, so you may want to drop
> > the <http-method>GET</http-method> and just leave the
> > <http-method>POST</http-method> in the first security constraint.
> >
> > Also, I'm not sure if you're aware but you can try using the @Context
> > javax.ws.rs.core.SecurityContext injected object (which can be put in
> > a method's parameter list or as a root resource's field variable for
> > instance) if you need a programmatic way of handling security.
> >
> > I used the free WebSphere Application Server 7.0 developer's version
> > at ( http://www.ibm.com/developerworks/websphere/downloads/ ). You
> > probably already know this but I would also try restarting the
> > application via the admin console or wsadmin after you've made changes
> > to the application specific security configuration. If you make
> > changes to the global security config (such as changing user
> > registries or enabling application security), you should try
> > restarting the application server.
> >
> > Let us know if that helped.
> >
> > On Mon, Sep 28, 2009 at 8:45 AM, Stefan Witte <st...@yahoo.com>
> > wrote:
> > > Can someone provide some samples, guidelines or patterns how the
> > (JEE)
> > > secure different resource in a apache wink implementation.
> > >
> > > if the wink servlet is configured in the web.xml like:
> > >
> > > <servlet>
> > > <servlet-name>WinkServlet</servlet-name>
> > >
> > > <servlet-
> > class>org.apache.wink.server.internal.servlet.RestServlet</servlet-
> > class>
> > > <init-param>
> > > <param-name>applicationConfigLocation</param-name>
> > > <param-value>/WEB-INF/application</param-value>
> > > </init-param>
> > > </servlet>
> > >
> > > <servlet-mapping>
> > > <servlet-name>WinkServlet</servlet-name>
> > > <url-pattern>/*</url-pattern>
> > > </servlet-mapping>
> > >
> > > is /* then the only url-pattern where a role can be assigned to?
> > > or do i have to have multiple servlet mappings (tried that but
> > didn't work)
> > > or do i have to register multiple instance of the wink servlet with
> > > different url patterns?
> > >
> > >
> > > I tried using different security constraints on different url-
> > patterns but
> > > none works as i want (see example)
> > >
> > > (running on WebSphere 7.0.0.3, servlet 2.5)
> > >
> > > I for example need to configure authorisation for the following
> > nested
> > > resource(s):
> > >
> > > roles: admin, reader
> > >
> > > /resource (role: admin)
> > > /resource/<anything> (role: reader) (e.g. /resource/reservation
> > >
> > >
> > > A chapter in the User or Developer guide about JEE security on REST
> > > resources (using apache wink) would be really usefull.
> > >
> > > Thanks.
> > >
> > >
> >
> >
> >
> > --
> >
> > - Bryant Luk
> >
> >
>
>
Re: Re:
Posted by Duong BaTien <du...@gmail.com>.
Thanks Michael:
I just bump into Wink with few hours on its user guide and like its
Architecture. It has apparently been brewed for a long time by HP and
IBM teams before turning into Wink. I will probably have more questions
soon. Regarding to my top-of-the-head questions:
1) GWT translates Java into JavaScripts and has some specific features
such as native JSO, MVP and Event bus. Instead of RPC of client-server,
i am working with callback Javascript function in JSONP so data can come
from different sources for context relevant mashup. At a first glance,
Wink has the callback Javascript function in place, so GWT can interact
with Wink server side REST services via JSONP. I wonder the role of Wink
Client in working with GWT JSO, and Wink Context Providers in both
client and server sides. Any pointer for me in this direction? What HP
and IBM teams are planning in your actual works related to relevant user
context?
2) Yes, i work with guice at server side and gin at GWT client. If we
have any significant value-add, we will contribute back to the
community. Wink is a part of Apache, well connected to CXF and Abdera
and other projects. I will seriously look at Wink as our long term REST
services.
3) Since Wink has been brewed for a long time under both HP and IBM
teams, and its architecture including added Workspace are well thought
out to be fit for a complex enterprise environment in Cloud Services of
different providers serving different needs of the same user, i thought
there is already some road map for OAuth and role-based workspaces. I
appreciate any pointer in this direction in regard to Wink, GAE and GWT.
Thanks
Duong BaTien
DBGROUPS and BudhNet
On Thu, 2009-10-01 at 08:19 +0200, Michael Elman wrote:
> Hi Duong,
>
> Thanks for the feedback.
>
> Regarding your questions:
>
> 1) What do you mean by a "better integrated". Is anything wrong now?
> I've recently tried to run Wink with GAE and it worked fine. Except
> that GAE doesn't support JAXB and a lot of Wink's functionality based
> on it.
> What do you mean by "generic JSONP and Atom"? Wink supports JSON and
> Atom:
> For JSON support json.org, jettison and jackson libraries can be used.
> You'll need a latest snapshot to use these libraries.
> Wink has internal Atom support, which is based on JAXB, so it won't
> function on GAE.
>
> 2) Currently we don't have plans to add support of Guice. Would you
> like to contribute it?
>
> 3) Same here: Currently we don't have plans to add support of OAuth.
> But we'll be glad if it is contributed :-)
>
> Best regards,
> Michael.
>
> On Wed, Sep 30, 2009 at 5:09 PM, Duong BaTien <du...@gmail.com>
> wrote:
> Hi:
> I look at Wink and will spend sometime to further explore. I
> wonder if
> there is some plan:
> 1) to make Wink server and client better integrated with GAE
> and GWT,
> especially via generic JSONP and Atom
> 2) to add Guice for DI
> 3) to add security chain for OAuth authorized resources and
> role-based
> Workspaces
>
> Waiting for Wink next version today or tomorrow to experiment
> with GAE.
>
> Duong BaTien
> DBGROUPS and BudhNet
>
>
> On Wed, 2009-09-30 at 07:33 -0700, Stefan Witte wrote:
> > Thanks Bryant.
> >
> > I've got it working now. I think that the problem was in the
> caching
> > of the browser with trying out different user id's and not
> enough
> > restarting of the websphere server.
> >
> > I now test it with the wink client using the "Authorization:
> Basic
> > c3dpdHRlOnN0ZWZhbg==" header. I wrote a
> WebSphereAuthorisationHandler
> > (ClientHandler) for this.
> > For optimalisation i probably have to create one that uses
> the
> > returned LtpaToken cookie for additional requests.
> >
> > Thanks.
> >
> >
> >
> >
> ______________________________________________________________________
> > From: Bryant Luk <br...@gmail.com>
> > To: wink-user@incubator.apache.org
> > Sent: Tuesday, September 29, 2009 5:01:01 AM
> > Subject: Re:
> >
> > Hi Stefan,
> >
> > Thanks for the feedback. We'll try adding a chapter
> specifically
> > about security to the guide soon.
> >
> > For your immediate issue, I made a simple application
> application to
> > test out the security using the pattern you suggested. I
> had a
> > resource like:
> >
> > @Path("/resource")
> > public class Resource {
> > @Context
> > javax.ws.rs.core.SecurityContext securityInfo;
> >
> > @GET
> > @Produces(MediaType.TEXT_PLAIN)
> > public String getSomething() {
> > return "Hello GET: " + security.getUserPrincipal();
> > }
> >
> > @POST
> > @Produces(MediaType.TEXT_PLAIN)
> > public String postSomething() {
> > return "Hello POST: " + security.getUserPrincipal();
> > }
> >
> > @GET
> > @Path("/{subresource}")
> > @Produces(MediaType.TEXT_PLAIN)
> > public String getGreetingSub() {
> > return "Hello GET subresource: " +
> security.getUserPrincipal();
> > }
> > }
> >
> > My web.xml:
> >
> > <servlet>
> > <servlet-name>HelloWorldApp</servlet-name>
> > <servlet-
> >
> class>org.apache.wink.server.internal.servlet.RestServlet</servlet-
> > class>
> > <init-param>
> > <param-name>javax.ws.rs.Application</param-name>
> > <param-
> >
> value>org.apache.wink.example.helloworld.HelloWorldApplication</param-
> > value>
> > </init-param>
> > <load-on-startup>1</load-on-startup>
> > </servlet>
> > <servlet-mapping>
> > <servlet-name>HelloWorldApp</servlet-name>
> > <url-pattern>/*</url-pattern>
> > </servlet-mapping>
> > <security-role>
> > <role-name>adminRole</role-name>
> > </security-role>
> > <security-role>
> > <role-name>readerRole</role-name>
> > </security-role>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>
> > SecuredAdmin
> > </web-resource-name>
> > <url-pattern>/resource</url-pattern>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>adminRole</role-name>
> > </auth-constraint>
> > </security-constraint>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>
> > SecuredSubresource
> > </web-resource-name>
> > <url-pattern>/resource/*</url-pattern>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>readerRole</role-name>
> > </auth-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > </login-config>
> >
> > When I loaded up the root resource at /resource in my
> browser, I could
> > only use a user mapped to my adminRole. When I visited
> > /resource/abcd, I could only visit the resource using a user
> mapped to
> > my readerRole. Did you try a pattern like the above?
> >
> > One note on the above pattern is that it restricts GETs
> to /resource
> > to only the adminRole users. Generally /resource collection
> like URLs
> > (if it is indeed a collection) are readable by the same
> users as those
> > that can read /resource/<anything underneath>, so you may
> want to drop
> > the <http-method>GET</http-method> and just leave the
> > <http-method>POST</http-method> in the first security
> constraint.
> >
> > Also, I'm not sure if you're aware but you can try using the
> @Context
> > javax.ws.rs.core.SecurityContext injected object (which can
> be put in
> > a method's parameter list or as a root resource's field
> variable for
> > instance) if you need a programmatic way of handling
> security.
> >
> > I used the free WebSphere Application Server 7.0 developer's
> version
> > at
> ( http://www.ibm.com/developerworks/websphere/downloads/ ).
> You
> > probably already know this but I would also try restarting
> the
> > application via the admin console or wsadmin after you've
> made changes
> > to the application specific security configuration. If you
> make
> > changes to the global security config (such as changing user
> > registries or enabling application security), you should try
> > restarting the application server.
> >
> > Let us know if that helped.
> >
> > On Mon, Sep 28, 2009 at 8:45 AM, Stefan Witte
> <st...@yahoo.com>
> > wrote:
> > > Can someone provide some samples, guidelines or patterns
> how the
> > (JEE)
> > > secure different resource in a apache wink implementation.
> > >
> > > if the wink servlet is configured in the web.xml like:
> > >
> > > <servlet>
> > > <servlet-name>WinkServlet</servlet-name>
> > >
> > > <servlet-
> >
> class>org.apache.wink.server.internal.servlet.RestServlet</servlet-
> > class>
> > > <init-param>
> > > <param-name>applicationConfigLocation</param-
> name>
> > > <param-value>/WEB-INF/application</param-
> value>
> > > </init-param>
> > > </servlet>
> > >
> > > <servlet-mapping>
> > > <servlet-name>WinkServlet</servlet-name>
> > > <url-pattern>/*</url-pattern>
> > > </servlet-mapping>
> > >
> > > is /* then the only url-pattern where a role can be
> assigned to?
> > > or do i have to have multiple servlet mappings (tried that
> but
> > didn't work)
> > > or do i have to register multiple instance of the wink
> servlet with
> > > different url patterns?
> > >
> > >
> > > I tried using different security constraints on different
> url-
> > patterns but
> > > none works as i want (see example)
> > >
> > > (running on WebSphere 7.0.0.3, servlet 2.5)
> > >
> > > I for example need to configure authorisation for the
> following
> > nested
> > > resource(s):
> > >
> > > roles: admin, reader
> > >
> > > /resource (role: admin)
> > > /resource/<anything> (role: reader)
> (e.g. /resource/reservation
> > >
> > >
> > > A chapter in the User or Developer guide about JEE
> security on REST
> > > resources (using apache wink) would be really usefull.
> > >
> > > Thanks.
> > >
> > >
> >
> >
> >
> > --
> >
> > - Bryant Luk
> >
> >
>
>
>
>