[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Aerogear-dev] AeroGear Security - call for participation



I guess that can work,   but it seems like there are assumptions being made that the user is who they say they are.   Maybe just being to paranoid.   I’ve recently being working with the facebook api’s so this topic has sort of been on my mind.  

 

I’ve worked out a little security model, a prototype really pretty bare bones, for an internal project, basically 2 legged(maybe 3?) OAuth,  haven’t yet posted it on github to a pubic repo.   Planning on it

 

From: Bruno Oliveira [mailto:bruno abstractj org]
Sent: Monday, July 30, 2012 2:54 PM
To: Holmquist, Lucas
Cc: aerogear-dev redhat com
Subject: Re: [Aerogear-dev] AeroGear Security - call for participation

 

Hi Lucas, initially the server will be responsible for keeping the user session, so repeat the auth process won't be needed.

 

Wdyt?

 

 

-- 

"The measure of a man is what he does with power" - Plato

-

@abstractj

-

Volenti Nihil Difficile

On Sunday, July 29, 2012 at 2:50 PM, Holmquist, Lucas wrote:

Has there been any talk yet on what do to if the user refreshes the page? Where do you store the access token on the client side so the user doesn't have to go though the auth process again.

 

 

-Luke

 

Sent from my iPad

 

On Jul 28, 2012, at 11:56 AM, "Bruno Oliveira" <bruno abstractj org<mailto:bruno abstractj org>> wrote:

 

Thank you Matthias, I did the updates with the new images and that information, please refresh the url.

 

Let me know if you have more questions.

 

 

--

"The measure of a man is what he does with power" - Plato

-

@abstractj

-

Volenti Nihil Difficile

 

On Saturday, July 28, 2012 at 11:18 AM, Matthias Wessendorf wrote:

 

Hey,

 

thanks for the quick response. Useful information;

 

What do you think about including parts of it into your spec/draft?

I think it makes reading a bit easier;

 

thx!

Matthias

 

On Sat, Jul 28, 2012 at 3:53 PM, Bruno Oliveira <bruno abstractj org<mailto:bruno abstractj org>> wrote:

Hi Matthias, thanks for your review, answers inline.

 

On Saturday, July 28, 2012 at 7:35 AM, Matthias Wessendorf wrote:

 

hi,

 

a few minor comments after giving it a quick shot:

 

1) The REST resources will be generated to provide the basics for

authentication.

 

==> IMO basic(s) is a bit confusing when talking about auth (e.g.

application basic...), perhaps writing 'foundation' or so?

==> what will generate the resources ?

 

I've been planning to provide the minimal endpoints to authentication,

aerogear-security aims to have the integration with providers like

DeltaSpike and PicketLink.

 

Generate means something like a forge plugin or maven plugin something to

get rid of an complex configuration files. Aerogear-security must deal with

the complexity, but not our developers, that's the idea.

 

 

 

2) aerogear.auth

'This attribute is optional and if not present the default REST

authentication method will be assumed.'

==> 'default REST authentication' <== what does that actually mean?

 

Perhaps a link to some other document,

for background infos?

 

The endpoints provided by aerogear-security, but if you want to have an idea

about what I've been planning take a look at the external references, please

 

 

3) aerogear.auth.register

the diagram says 'signup'; perhaps using one term across

documents/diagrams does not hurt!

 

Indeed. I didn't get a chance to update the pictures and I assume that

people will truly understand what it means, I'll do it to the next week.

 

- Bruno

 

 

(I guess that applies to login/signin etc as well)

 

-M

 

 

On Sat, Jul 28, 2012 at 12:11 AM, Bruno Oliveira <bruno abstractj org<mailto:bruno abstractj org>>

wrote:

 

Hi folks,

 

We've been discussing a lot about security on the server side this week and

I would like to hear some feedback about the document below before going

into more specific implementation details.

 

 

Have a nice reading! :)

--

"The measure of a man is what he does with power" - Plato

-

@abstractj

-

Volenti Nihil Difficile

 

_______________________________________________

aerogear-dev mailing list

aerogear-dev redhat com<mailto:aerogear-dev redhat com>

 

 

 

 

--

Matthias Wessendorf

 

 

 

 

--

Matthias Wessendorf

 

 

_______________________________________________

aerogear-dev mailing list

aerogear-dev redhat com<mailto:aerogear-dev redhat com>

 

________________________________

CONFIDENTIALITY NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

 



CONFIDENTIALITY NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]