WaterEquipmentService: isAuthorized() uses String for an object reference, while getObject() and other methods use long
This method is only userd in the FineGrainedAuthorizationScheme and the type of the args is limited by the userPrincipal.getName(), config.permission(), target which comes from thingswise library
WempUtil - using Base64 encoding on a 16-byte chunk of data will result in having padding characters in the end. Since padding is usually '=' it can interfere with equal signs used in HTTP URL, etc. The recommendation is to use a different encoding scheme
I notice that,so I use the Base64.getEncoder().withoutPadding() instead which could prevent the padding string
WempUtil - generating a new encryption key on every invocation may break the uniqueness of the token. The key should be supplied via a configuration file
If I should give the orginal token to the user or the encrypted token to the user?
ObjectResource: GET /object/{oid}/user/{uid} - implemented incorrectly - see API description
return read or write to the user for the object ?
ObjectResource: POST /object/{oid}/user/{uid} - implemented incorrectly - should accept permission type as a body parameter
ObjectResource: DELETE /object/{oid}/user/{uid} - DELETE cannot produce application/json media type. The response body for 200 OK should be empty
Should I return 204 for the delete response?
ObjectResource: similar to the above comments for methods related to groups
OrgGroupResource: POST /organization/{oid}/organizationGroups - exposing Group object as the body type is incorrect since it contains a lot of irrelevant or duplicate information. Should be a simple JSON object with permission field
According to the description from wiki:this api is to create a new group which means add a new group to current organization.What's the permission field? action?
OrgGroupResource: PUT /organization/{oid}/organizationGroup/{gid} - exposing Group object as the body type is incorrect since it contains a lot of irrelevant or duplicate information. Should be a simple JSON object with permission field
Same questions above
OrgGroupResource: DELETE /organization/{oid}/organizationGroup/{gid} - DELETE cannot produce application/json media type. The response body for 200 OK should be empty
OrgGroupResource: POST /organization/{oid}//organizationGroup/{gid}/user/{uid} - no such method in API description
OrgGroupResource: DELETE /organization/{oid}//organizationGroup/{gid}/user/{uid} - DELETE cannot produce application/json media type. The response body for 200 OK should be empty
OrgGroupResource: GET /organization/{oid}//organizationGroup/{gid}checkPermissions - should return true or false, not ObjectView
OrgGroupResource: {POST,DELETE} /organization/{oid}/organizationUsers - there is no direct relation between users and organizations. It mat have sense to implement bulk delete of a user from all groups in the org. But I don't see how POST can be utilized here
There is no delete request for /organization/{oid}/organizationUsers but just a delete request for /organization/{oid}/organizationUser/{uid}.There might be some relations between user and org with user_org_link table,but I forgot to delete all the user in the group
OrgGroupResource: POST /organization/{oid}/objects - the body should be a JSON containing scope field, not ObjectVeiw
The wiki told me to add an object to the org scope,so this object is exist before not a new added object?
OrgGroupResource: DELETE /organization/{oid}/objects - DELETE cannot produce application/json media type. The response body for 200 OK should be empty
UserResource: it's path starts with "/wemp" while other resources' paths don't. All paths should start with "/wemp"
UserResource: POST /wemp/user/{uid}/checkPermissions - the request body contains ObjectData, while it should be either a single object id or a collection of object ids
WempResourceExceptionMapper - no mapping implemented
---WempReturnServlet - audience is not checked: security vulnerability---
Check the token related userId and authnUser id from /userinfo ?
WempReturnServlet - instead of request dispatcher you need to use 302 redirect
This method is only userd in the FineGrainedAuthorizationScheme and the type of the args is limited by the userPrincipal.getName(), config.permission(), target which comes from thingswise library
I notice that,so I use the Base64.getEncoder().withoutPadding() instead which could prevent the padding string
If I should give the orginal token to the user or the encrypted token to the user?
return read or write to the user for the object ?
Should I return 204 for the delete response?
According to the description from wiki:this api is to create a new group which means add a new group to current organization.What's the permission field? action?
Same questions above
There is no delete request for /organization/{oid}/organizationUsers but just a delete request for /organization/{oid}/organizationUser/{uid}.There might be some relations between user and org with user_org_link table,but I forgot to delete all the user in the group
The wiki told me to add an object to the org scope,so this object is exist before not a new added object?
Check the token related userId and authnUser id from /userinfo ?