[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Aerogear-dev] Feedback on security readme

I'll assume that HTTPS will be used overall mobile ecosystem.

Let me know if something is not really clear.

On Thu, Mar 29, 2012 at 9:58 AM, Jay Balunas <jbalunas redhat com> wrote:

Overall great stuff.  Note, some of the items are questions from me, and some are questions I could see being asked by others :-)

* HTTP Digest authentication - why this?  What alternatives exist

The alternatives are: Basic (clear text), Digest (SHA1), WSSE, OAuth (to be discussed)    
- Basic: The credentials will be sent in plain text, encrypt each HTTP transaction over SSL don't guarantee the protect the information integrity when the information arrives to the server from internal network snoops.  

- Digest: Using SHA1 in combination with username + password + random + other information (to be discussed) that we could choose is safer than basic imo, the client won't send your information, but a combination. Signed URIs will be helpful to the next steps.

- WSSE: it's XML, enough to be excluded :) http://www.xml.com/pub/a/2003/12/17/dive.html.

- OAuth: The winner, but we still must start the implementation.
* Client library support 
* Where does Crypto.SHA1 come from 
(It's just a fork) https://github.com/abstractj/crypto-js/blob/master/src/SHA1.js
 * should list that
* We will want to collapse JS into mini-lib imo

+1 about have JS libs.

* http://myhost/user/1
 * Not relative path? 
 * can be point to other places?
Sure thing, it's just an example to test Authentication process. The requests will be intercepted and resources with @Secured annotation will be authenticated. 
* phase 1
  * authorization only right
authentication I guess)

  * Can you use CDI to inject a user object?
    * for further work.

I would like to understand your idea before. It's possible inject a user object, but I would like to think about how to integrate it with controller or expose authentication resources (Technically is possible we're already using CDI here) 
* Web mobile --> web/mobile 


* Define the domain a little better

Means security-domain, the idea is to use JBoss for it https://community.jboss.org/wiki/JBossAS7SecurityDomainModel 

* does getUser return a user object, or a Long?

getUser was a bad example and isn't related with aerogear security implementation. Replacing it with lookupMemberById.

* What happens when the you access secured resources and you're not logged inject

At first glance it will answer with 401 (https://github.com/abstractj/aerogear-security/blob/jaas/src/main/java/org/jboss/aerogear/security/resteasy/AuthenticatorInterceptor.java#L47). 

If we have plans to move forward with aerogear-security ideas, probably exception mapper must be implemented with resteasy.

* Where and how are users created, edited, removed?

Users/groups will be created using database integrated service with AS with JAAS (https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration)

Let me know if you have more concerns.


aerogear-dev mailing list
aerogear-dev redhat com

"Know the rules well, so you can break them effectively" - Dalai Lama XIV
Volenti Nihil Difficile

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]