[aerogear-dev] Security on AeroGear

Bruno Oliveira bruno at abstractj.org
Tue Jul 2 09:14:12 EDT 2013 

Answers inline.

Matthias Wessendorf wrote:
> Hi Bruno,
>
>
> On Tue, Jul 2, 2013 at 11:48 AM, Bruno Oliveira <bruno at abstractj.org
> <mailto:bruno at abstractj.org>> wrote:
>
>     Good morning everyone, I'm planning to include JWS (to add digital
>     signatures per mobile application)/JWT (to issue a token at each
>     transaction or session) support on AeroGear and I was looking at OAuth2
>     bearer token (which make use of JWT/JWS behind the scenes)
>     implementation from RESTEasy.
>
>     I was reading about how to properly include it and now we have a
>     decision to make (we because it will affect the way the client side and
>     security is not an island :). RESTEasy bearer tokens is completely tied
>     to JBoss
>     (http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446)
>     and I'm not saying it is a bad thing, but with vert.x, TorqueBox,
>     Nodej...I'm not sure if it's a good idea.
>
>
>
> That is because of (from the requirements): "A username/password based
> JBoss security domain", right?
>

Nope. This comes from the requirement "add security to AG" :) 
Username/Password are cool, the goal here is to add token between 
client/server.

This token will come with timestamp, in this way if someone 
eavesdropping your connection steal your username/password, the token 
will be required.

>
>     An example of Bearer Token usage extracted from RFC
>     (http://tools.ietf.org/html/rfc6750)
>
>            HTTP/1.1 200 OK
>            Content-Type: application/json;charset=UTF-8
>            Cache-Control: no-store
>            Pragma: no-cache
>
>            {
>     "access_token":"mF_9.B5f-4.1JqM",
>     "token_type":"Bearer",
>     "expires_in":3600,
>     "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
>            }
>
>     Pros: RESTEasy team already did it
>     Cons: The configuration setup might be hard to newcomers (please look at
>     the documentation
>     http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446),
>     we will be tied to JBoss.
>
>     So, do we have an alternative? Yes.
>
>
> good :-)
>
>     Make use of JWT module only from
>     RESTEasy
>
>
> you mean only the JWT(==JSON Web Token) - not the "bearer token" ?

Yes.

>
>     and we still can benefit of digital signatures and tokens.
>
>
>
> The digital signatures would be still JWS (==JSON Web Signature) ?

Yup, to avoid confusion:

- JSON Web signatures: can be used to sign http requests against the 
server  (do not replace the certificate) and avoid DDoS against the 
server, non repudiation

- JSON Web token: another security layer (OPTIONAL). If for some reason 
SSL was misconfigured, broken....you still have this layer of security 
(this token is time-based, "MACed" and irreversible).

>
>
>     An example of JWT usage extracted from RFC
>     (http://tools.ietf.org/html/draft-jones-json-web-token-10#page-6)
>
>     {
>     "iss":"joe",
>     "exp":1300819380,
>     "http://example.com/is_root":true
>     }
>
>     Pros: Flexibility, we have people already doing it
>     (https://wiki.mozilla.org/WebAPI/WebPayment).
>
>
> So our "client side" hook could be basically used with that WebPayment
> thing, right ?

No.

Sorry, I should explain that better, this is just an example. We will 
not make use of WebPayment API, this is a snippet from Mozilla (I was 
giving the credit, instead of just cut & paste. And also showing an 
example where JWT is used).

Into our project will be just JWT/JWS implementation with the RESTEasy 
module.

>
>     We will make use of
>     RESTEasy module and do not reinvent the wheel.
>
>
> +1 on reusing existing code. Not sure I fully understand (see my above
> comments on JWS/JWT :)

Feel free to ask, sorry for my bad explanation.

>
>
>     Cons: The authorization model must be implemented and adapted to our
>     needs
>
>
> That could be done on-top of what we already have for AeroGear Security ?

Yup, that's the idea.
>
>
> -Matthias
>
>
>     So what do you think?
>
>     ps: SAML is not an option for me now.
>
>     --
>     abstractj
>
>     _______________________________________________
>     aerogear-dev mailing list
>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-- 
abstractj

More information about the aerogear-dev mailing list