[aerogear-dev] Allow Push Without Master-Secret?

Thu Apr 17 17:55:24 EDT 2014

On Thu, Apr 17, 2014 at 9:35 PM, Florian Schrofner <
florian.schrofner at outlook.com> wrote:

> I thought about that too.. but I didn't really see the difference, since
> everybody who knows the link to the broker can also invoke a push without
> authentication, can't he?
>
Right, there is no difference, except that you don't have to patch UPS,
that you can later secure this REST endpoint and that you deleguate a
generic behaviour (sending push messages) to a single place.

>
> Also setting up another server just for forwarding request seems a bit
> overpowered to me (and a lot more work)..
>

I understand but put in balance the work to create a simple broker  and
maintain a patched UPS

>
> As long as I don't unintentionally open a huge security hole by patching
> the
> server it shouldn't make that much difference, should it?
>
Well if someone knows your MasterID he can potentially send millions of
notifications to all the devices :)

>
> Maybe we'll build the first prototypes using the patched aerogear server
> and
> switch to the broker later on.
> Nodejs would be the best option for the broker, I guess?
>

Yeah NodeJS could be a good option, look at this single NodeJS server page
that does almost all what you want :
https://github.com/sebastienblanc/hackergarten-messenger/blob/master/server/index.js

Thx again for your interest !

>
>
> --
> View this message in context:
> http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Allow-Push-Without-Master-Secret-tp7474p7493.html
> Sent from the aerogear-dev mailing list archive at Nabble.com.
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140417/f0cb6c77/attachment.html 