Identified tasks for adding security to the AS7 management APIs: -
| Description | Jira Issues | Owner
| Dependencies
| Comments / Risks
|
|---|
| Define security configuration. |
|
| General management API configuration. |
|
| Login modules need to operate in non-AS domains. |
| Anil / Marcus |
|
|
| Add BASIC authenticator to HTTP API |
|
|
|
|
| Add TLS/SSL to HTTP API |
|
|
|
|
| Add CLIENT-CERT type authenticator to HTTP API |
|
|
|
|
| Ensure equivalent authentication possible through native API. |
|
| Initial native API with Remoting. |
|
| Security initialisation similar to subsystem initialisation. |
|
|
| To review as much re-use of security extension in non AS. |
| Interception of all inbound calls for authorization check. |
|
|
| Initial check may just be that the calling user must have been authenticated. |
| Define ACL scheme. |
|
|
|
|
| Add ACL checking to authorization. |
|
|
|
|
| Mechanism to provide users permissions to clients of the API. |
|
|
|
|