[aerogear-dev] Initial Security for AeroGear UnifiedPush

Matthias Wessendorf matzew at apache.org
Wed Jun 19 01:59:16 EDT 2013 

Have in mind, this is all "progressing"...

Currently looking at JavaScript "secure" registration + CORS

Followed by:
* iOS SDK
* Java Sender
* Android

-Matthias



On Wed, Jun 19, 2013 at 6:40 AM, Matthias Wessendorf <matzew at apache.org>wrote:

> Bruno merged the security bits to MASTER.
>
> A tag (0.1.0) of the previous MASTER (the one without security) has been
> created.
>
> -Matthias
>
>
> On Mon, Jun 17, 2013 at 2:52 PM, Matthias Wessendorf <matzew at apache.org>wrote:
>
>>  Hi,
>>
>> I worked a bit on the initial security, after Bruno release the 1.0.1
>> versions of AG-Security.
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants>Management
>> of PushApplications and MobileVariants
>>
>> Adding a (simple) *DEVELOPER* class (just that, no *fancy* roles yet).
>> This is powered by AG-Security and the very wellknown "login"/"logout"
>> will be used (and soon "enroll" for new users).
>>
>> A *DEVELOPER* is allowed to create/manage PushApplications and
>> MobileVariants (including the standard CRUD flow).
>>
>> Here is a little cURL based flow:
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login:
>>
>> curl -v -b cookies.txt -c cookies.txt
>>   -H "Accept: application/json" -H "Content-type: application/json"
>>   -X POST
>>   -d '{"loginName": "admin", "password":"123"}'http://localhost:8080/ag-push/rest/auth/login
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp>Create
>> new PushApp:
>>
>> curl -v -b cookies.txt -c cookies.txt -v
>>   -H "Accept: application/json" -H "Content-type: application/json"
>>   -X POST
>>   -d '{"name" : "MyApp", "description" :  "awesome app" }'http://localhost:8080/ag-push/rest/applications
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it>Create
>> Variant (here SimplePush) for it:
>>
>> curl -v -b cookies.txt -c cookies.txt -v
>>   -H "Accept: application/json" -H "Content-type: application/json"
>>   -X POST
>>   -d '{"pushNetworkURL" : "http://localhost:7777/endpoint/"}'http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications>Sending
>> Push Notifications
>>
>> When a PushApplication is created, it will get a GENERATED *PUSH-APP-ID* (like
>> before) and it will also have a generated *master secret*. For sending
>> (NOW) you need HTTP BASIC auth against the SENDER HTTP interface:
>>
>> curl -u "{PushApplicationID}:{MasterSecret}"
>>    -v -H "Accept: application/json" -H "Content-type: application/json"
>>    -X POST
>>    -d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7,
>>        "simple-push":"version=123"}'
>> http://localhost:8080/ag-push/rest/sender/broadcast
>>
>> The user is a combination of PushApplicationID:MasterSecret, hence no
>> need to include the PushApplicationID on the URL.....
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration>Device
>> Registration
>>
>> When a MobileVariant is created, it will get a GENERATED *VARIANT-ID* (like
>> before) and it will have a generated "variant secret" (valid ONLY!!! for
>> that variant). Now a device needs to perform HTTP basic against that
>> server, in order to register itself:
>>
>> An Android (cURL) example:
>>
>> curl -u "{MobileVariantID}:{secret}"
>>    -v -H "Accept: application/json" -H "Content-type: application/json"
>>    -X POST
>>    -d '{
>>       "deviceToken" : "someTokenString",
>>       "deviceType" : "ANDROID",
>>       "mobileOperatingSystem" : "android",
>>       "osVersion" : "4.0.1"
>>     }'
>> http://localhost:8080/ag-push/rest/registry/device
>>
>> The user is a combination of MobileVariantID:MasterSecret, hence no need
>> to include the MobileVariantID (was a http header in the past).
>>
>> The work lives on a branch for now:
>>
>> https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security
>>
>>
>> FYI, the iOS SDK has been updated to reflect that:
>> https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07
>>
>> --
>> Matthias Wessendorf
>>
>> blog: http://matthiaswessendorf.wordpress.com/
>> sessions: http://www.slideshare.net/mwessendorf
>> twitter: http://twitter.com/mwessendorf
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130619/34dbda7b/attachment.html

More information about the aerogear-dev mailing list