
<div dir="ltr">FYI<div><br></div><div style>JIRAs for the &quot;initial&quot; security work:</div><div><div><br></div><div><br></div><div>All the endpoints are now secured:</div><div><a href="https://issues.jboss.org/browse/AGPUSH-59">https://issues.jboss.org/browse/AGPUSH-59</a></div>

<div><br></div><div>Details on the actual enpoints, on the AGSEC JIRA:</div><div><br></div><div>Enpoint for Push Apps is secure (using AG-Security):</div><div><a href="https://issues.jboss.org/browse/AGSEC-51">https://issues.jboss.org/browse/AGSEC-51</a></div>

<div><br></div><div>Enpoint for {Android|iOS|SimplePush} Variants is secure (using AG-Security):</div><div><a href="https://issues.jboss.org/browse/AGSEC-52">https://issues.jboss.org/browse/AGSEC-52</a></div><div><br></div>

<div>Enpoint for Device Registration is secure (Using HTTP Basic):</div><div><a href="https://issues.jboss.org/browse/AGSEC-50">https://issues.jboss.org/browse/AGSEC-50</a></div><div><br></div><div>Enpoint for SENDING is secure (Using HTTP Basic):</div>

<div><a href="https://issues.jboss.org/browse/AGSEC-54">https://issues.jboss.org/browse/AGSEC-54</a></div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jun 19, 2013 at 11:56 AM, Bruno Oliveira <span dir="ltr">&lt;<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks Sebi, I&#39;ll look at this.<br>

<div class="im"><br>

Sebastien Blanc wrote:<br>

&gt; FYI,<br>

&gt;<br>

&gt; A &quot;security&quot; Java Sender branch has also been pushed :<br>

&gt; <a href="https://github.com/aerogear/aerogear-unified-push-java-client/tree/security" target="_blank">https://github.com/aerogear/aerogear-unified-push-java-client/tree/security</a><br>

&gt; It&#39;s using preemptive Basic Http Authentification but we will switch to<br>

&gt; a more &quot;classic&quot; flow when AGPUSH-99 will be resolved.<br>

&gt;<br>

&gt; Like Matthias said is &quot;all in progress&quot; work but &quot;Push early, Push often&quot;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis &lt;<a href="mailto:cvasilak@gmail.com">cvasilak@gmail.com</a><br>

</div><div class="im">&gt; &lt;mailto:<a href="mailto:cvasilak@gmail.com">cvasilak@gmail.com</a>&gt;&gt; wrote:<br>

&gt;<br>

&gt;     looks great!<br>

&gt;<br>

&gt;     On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf &lt;<a href="mailto:matzew@apache.org">matzew@apache.org</a><br>

</div><div class="im">&gt;     &lt;mailto:<a href="mailto:matzew@apache.org">matzew@apache.org</a>&gt;&gt; wrote:<br>

&gt;<br>

&gt;&gt;     Hi,<br>

&gt;&gt;<br>

&gt;&gt;     I worked a bit on the initial security, after Bruno release the<br>

&gt;&gt;     1.0.1 versions of AG-Security.<br>

&gt;&gt;<br>

&gt;&gt;<br>

</div>&gt;&gt;         &lt;<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants</a>&gt;Management<br>


&gt;&gt;         of PushApplications and MobileVariants<br>

&gt;&gt;<br>

&gt;&gt;     Adding a (simple) /DEVELOPER/ class (just that, no /fancy/ roles yet).<br>

<div class="im">&gt;&gt;     This is powered by AG-Security and the very wellknown<br>

&gt;&gt;     &quot;login&quot;/&quot;logout&quot; will be used (and soon &quot;enroll&quot; for new users).<br>

&gt;&gt;<br>

</div>&gt;&gt;     A /DEVELOPER/ is allowed to create/manage PushApplications and<br>

<div class="im">&gt;&gt;     MobileVariants (including the standard CRUD flow).<br>

&gt;&gt;<br>

&gt;&gt;     Here is a little cURL based flow:<br>

&gt;&gt;<br>

&gt;&gt;<br>

</div>&gt;&gt;             &lt;<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login</a>&gt;Login:<br>

<div class="im">&gt;&gt;<br>

&gt;&gt;     |curl -v -b cookies.txt -c cookies.txt<br>

&gt;&gt;        -H&quot;Accept: application/json&quot;  -H&quot;Content-type: application/json&quot;<br>

&gt;&gt;        -X POST<br>

&gt;&gt;        -d&#39;{&quot;loginName&quot;:&quot;admin&quot;,&quot;password&quot;:&quot;123&quot;}&#39;<br>

&gt;&gt;     <a href="http://localhost:8080/ag-push/rest/auth/login" target="_blank">http://localhost:8080/ag-push/rest/auth/login</a><br>

&gt;&gt;     |<br>

&gt;&gt;<br>

&gt;&gt;<br>

</div>&gt;&gt;             &lt;<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp</a>&gt;Create<br>


<div class="im">&gt;&gt;             new PushApp:<br>

&gt;&gt;<br>

&gt;&gt;     |curl -v -b cookies.txt -c cookies.txt -v<br>

&gt;&gt;        -H&quot;Accept: application/json&quot;  -H&quot;Content-type: application/json&quot;<br>

&gt;&gt;        -X POST<br>

&gt;&gt;        -d&#39;{&quot;name&quot;  :&quot;MyApp&quot;,&quot;description&quot;  :&quot;awesome app&quot;  }&#39;<br>

&gt;&gt;     <a href="http://localhost:8080/ag-push/rest/applications" target="_blank">http://localhost:8080/ag-push/rest/applications</a><br>

&gt;&gt;     |<br>

&gt;&gt;<br>

&gt;&gt;<br>

</div>&gt;&gt;             &lt;<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it</a>&gt;Create<br>


<div class="im">&gt;&gt;             Variant (here SimplePush) for it:<br>

&gt;&gt;<br>

&gt;&gt;     |curl -v -b cookies.txt -c cookies.txt -v<br>

&gt;&gt;        -H&quot;Accept: application/json&quot;  -H&quot;Content-type: application/json&quot;<br>

&gt;&gt;        -X POST<br>

&gt;&gt;        -d&#39;{&quot;pushNetworkURL&quot;  :&quot;<a href="http://localhost:7777/endpoint/" target="_blank">http://localhost:7777/endpoint/</a>&quot;}&#39;<br>

</div>&gt;&gt;     <a href="http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush" target="_blank">http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush</a>  &lt;<a href="http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush" target="_blank">http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush</a>&gt;<br>


&gt;&gt;     |<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;         &lt;<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications</a>&gt;Sending<br>


<div class="im">&gt;&gt;         Push Notifications<br>

&gt;&gt;<br>

&gt;&gt;     When a PushApplication is created, it will get a GENERATED<br>

</div>&gt;&gt;     /PUSH-APP-ID/ (like before) and it will also have a generated<br>

&gt;&gt;     /master secret/. For sending (NOW) you need HTTP BASIC auth<br>

<div class="im">&gt;&gt;     against the SENDER HTTP interface:<br>

&gt;&gt;<br>

&gt;&gt;     |curl -u&quot;{PushApplicationID}:{MasterSecret}&quot;<br>

&gt;&gt;         -v -H&quot;Accept: application/json&quot;  -H&quot;Content-type: application/json&quot;<br>

&gt;&gt;         -X POST<br>

&gt;&gt;         -d&#39;{&quot;key&quot;:&quot;value&quot;,&quot;alert&quot;:&quot;HELLO!&quot;,&quot;sound&quot;:&quot;default&quot;,&quot;badge&quot;:7,<br>

&gt;&gt;             &quot;simple-push&quot;:&quot;version=123&quot;}&#39;<br>

&gt;&gt;<br>

&gt;&gt;     <a href="http://localhost:8080/ag-push/rest/sender/broadcast" target="_blank">http://localhost:8080/ag-push/rest/sender/broadcast</a><br>

&gt;&gt;     |<br>

&gt;&gt;<br>

&gt;&gt;     The user is a combination of PushApplicationID:MasterSecret, hence<br>

&gt;&gt;     no need to include the PushApplicationID on the URL.....<br>

&gt;&gt;<br>

&gt;&gt;<br>

</div>&gt;&gt;         &lt;<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration</a>&gt;Device<br>


<div class="im">&gt;&gt;         Registration<br>

&gt;&gt;<br>

&gt;&gt;     When a MobileVariant is created, it will get a GENERATED<br>

</div>&gt;&gt;     /VARIANT-ID/ (like before) and it will have a generated &quot;variant<br>

<div><div class="h5">&gt;&gt;     secret&quot; (valid ONLY!!! for that variant). Now a device needs to<br>

&gt;&gt;     perform HTTP basic against that server, in order to register itself:<br>

&gt;&gt;<br>

&gt;&gt;     An Android (cURL) example:<br>

&gt;&gt;<br>

&gt;&gt;     |curl -u&quot;{MobileVariantID}:{secret}&quot;<br>

&gt;&gt;         -v -H&quot;Accept: application/json&quot;  -H&quot;Content-type: application/json&quot;<br>

&gt;&gt;         -X POST<br>

&gt;&gt;         -d&#39;{<br>

&gt;&gt;            &quot;deviceToken&quot;  :&quot;someTokenString&quot;,<br>

&gt;&gt;            &quot;deviceType&quot;  :&quot;ANDROID&quot;,<br>

&gt;&gt;            &quot;mobileOperatingSystem&quot;  :&quot;android&quot;,<br>

&gt;&gt;            &quot;osVersion&quot;  :&quot;4.0.1&quot;<br>

&gt;&gt;          }&#39;<br>

&gt;&gt;<br>

&gt;&gt;     <a href="http://localhost:8080/ag-push/rest/registry/device" target="_blank">http://localhost:8080/ag-push/rest/registry/device</a><br>

&gt;&gt;     |<br>

&gt;&gt;<br>

&gt;&gt;     The user is a combination of MobileVariantID:MasterSecret, hence<br>

&gt;&gt;     no need to include the MobileVariantID (was a http header in the<br>

&gt;&gt;     past).<br>

&gt;&gt;<br>

&gt;&gt;     The work lives on a branch for now:<br>

&gt;&gt;     <a href="https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security</a><br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;     FYI, the iOS SDK has been updated to reflect that:<br>

&gt;&gt;     <a href="https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07" target="_blank">https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07</a><br>


&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;     --<br>

&gt;&gt;     Matthias Wessendorf<br>

&gt;&gt;<br>

&gt;&gt;     blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>

&gt;&gt;     sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>

&gt;&gt;     twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>

&gt;&gt;     _______________________________________________<br>

&gt;&gt;     aerogear-dev mailing list<br>

</div></div>&gt;&gt;     <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> &lt;mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>&gt;<br>

<div class="im">&gt;&gt;     <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>

&gt;<br>

&gt;<br>

&gt;     _______________________________________________<br>

&gt;     aerogear-dev mailing list<br>

</div>&gt;     <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> &lt;mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>&gt;<br>

<div class="im HOEnZb">&gt;     <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>

&gt;<br>

&gt;<br>

&gt; _______________________________________________<br>

&gt; aerogear-dev mailing list<br>

&gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>

&gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>

<br>

</div><span class="HOEnZb"><font color="#888888">--<br>

abstractj<br>

</font></span><div class="HOEnZb"><div class="h5"><br>

_______________________________________________<br>

aerogear-dev mailing list<br>

<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>

<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>

</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>

sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>

</div>