<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jun 19, 2013 at 5:47 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Matthias I have some questions.<br>
<div class="im"><br>
Matthias Wessendorf wrote:<br>
> FYI<br>
><br>
> JIRAs for the "initial" security work:<br>
><br>
><br>
> All the endpoints are now secured:<br>
> <a href="https://issues.jboss.org/browse/AGPUSH-59" target="_blank">https://issues.jboss.org/browse/AGPUSH-59</a><br>
><br>
> Details on the actual enpoints, on the AGSEC JIRA:<br>
><br>
<br>
</div>For the endpoints below.<br>
<div class="im"><br>
> Enpoint for Push Apps is secure (using AG-Security):<br>
> <a href="https://issues.jboss.org/browse/AGSEC-51" target="_blank">https://issues.jboss.org/browse/AGSEC-51</a><br>
<br>
</div>Why?<br>
<br>
-<br>
<a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L52" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L52</a><br>
<br>
-<br>
<a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L74" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L74</a><br>
<br>
-<br>
<a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L84" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L84</a><br>
<br>
-<br>
<a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L102" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L102</a><br>
<br>
-<br>
<a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L131" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L131</a><br>
<div class="im"><br>
<br>
><br>
> Enpoint for {Android|iOS|SimplePush} Variants is secure (using AG-Security):<br>
> <a href="https://issues.jboss.org/browse/AGSEC-52" target="_blank">https://issues.jboss.org/browse/AGSEC-52</a><br>
<br>
</div><a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/AndroidVariantEndpoint.java#L67" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/AndroidVariantEndpoint.java#L67</a><br>
<br>
Well the same to the rest of the code and endpoints. Why are we doing<br>
it? As far as I know we just introduced an interceptor for it:<br>
<br>
<a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/cdi/interceptor/SecurityInterceptor.java#L50" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/cdi/interceptor/SecurityInterceptor.java#L50</a><br>
<br>
Which could be used with:<br>
<br>
@Secure({admin, developer})<br>
public void myPrettyEndpoint(){}<br>
<br>
If I'm reading it correctly, you're not checking for which roles the<br>
current logged in user has<br>
<a href="https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/AbstractApplicationRegistrationEndpoint.java#L27" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/AbstractApplicationRegistrationEndpoint.java#L27</a></blockquote>
<div><br></div><div><br></div><div style>correct - currenlty there are no real different roles. It's (currently) just a "developer".</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
<br>
We have 2 alternatives:<br>
<br>
- If the interceptors are not a good fit, just delete it<br></blockquote><div><br></div><div style>I think I didn't use it, because it throws an RT exception (no problem with that), which I could catch on the RestEasy layer.</div>
<div style>Instead of (for unauthorized invokes) returning 401 (to cURL, for instance), it was just "bad request".</div><div style><br></div><div style>So, I went for the "check by code" solution first. Not saying that I am AGAINST the interceptor.</div>
<div style><br></div><div style>I think on the long run that would be better and cleaner. </div><div style><br></div><div style><br></div><div style>I can give the Interceptor another shot, but not today.</div><div style>
<br></div><div style>Ok ? </div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
- Refactor the whole group of endpoints to make use of interceptors<br>
<br>
Let me know what do you want to do.<br>
<div class="im"><br>
<br>
><br>
> Enpoint for Device Registration is secure (Using HTTP Basic):<br>
> <a href="https://issues.jboss.org/browse/AGSEC-50" target="_blank">https://issues.jboss.org/browse/AGSEC-50</a><br>
><br>
> Enpoint for SENDING is secure (Using HTTP Basic):<br>
> <a href="https://issues.jboss.org/browse/AGSEC-54" target="_blank">https://issues.jboss.org/browse/AGSEC-54</a><br>
><br>
><br>
><br>
><br>
> On Wed, Jun 19, 2013 at 11:56 AM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a><br>
</div><div class="im">> <mailto:<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>>> wrote:<br>
><br>
> Thanks Sebi, I'll look at this.<br>
><br>
> Sebastien Blanc wrote:<br>
> > FYI,<br>
> ><br>
> > A "security" Java Sender branch has also been pushed :<br>
> ><br>
> <a href="https://github.com/aerogear/aerogear-unified-push-java-client/tree/security" target="_blank">https://github.com/aerogear/aerogear-unified-push-java-client/tree/security</a><br>
> > It's using preemptive Basic Http Authentification but we will<br>
> switch to<br>
> > a more "classic" flow when AGPUSH-99 will be resolved.<br>
> ><br>
> > Like Matthias said is "all in progress" work but "Push early,<br>
> Push often"<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis<br>
> <<a href="mailto:cvasilak@gmail.com">cvasilak@gmail.com</a> <mailto:<a href="mailto:cvasilak@gmail.com">cvasilak@gmail.com</a>><br>
</div><div class="im">> > <mailto:<a href="mailto:cvasilak@gmail.com">cvasilak@gmail.com</a> <mailto:<a href="mailto:cvasilak@gmail.com">cvasilak@gmail.com</a>>>> wrote:<br>
> ><br>
> > looks great!<br>
> ><br>
> > On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf<br>
> <<a href="mailto:matzew@apache.org">matzew@apache.org</a> <mailto:<a href="mailto:matzew@apache.org">matzew@apache.org</a>><br>
</div><div><div class="h5">> > <mailto:<a href="mailto:matzew@apache.org">matzew@apache.org</a> <mailto:<a href="mailto:matzew@apache.org">matzew@apache.org</a>>>> wrote:<br>
> ><br>
> >> Hi,<br>
> >><br>
> >> I worked a bit on the initial security, after Bruno release the<br>
> >> 1.0.1 versions of AG-Security.<br>
> >><br>
> >><br>
> >><br>
> <<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants</a>>Management<br>
> >> of PushApplications and MobileVariants<br>
> >><br>
> >> Adding a (simple) /DEVELOPER/ class (just that, no /fancy/<br>
> roles yet).<br>
> >> This is powered by AG-Security and the very wellknown<br>
> >> "login"/"logout" will be used (and soon "enroll" for new users).<br>
> >><br>
> >> A /DEVELOPER/ is allowed to create/manage PushApplications and<br>
> >> MobileVariants (including the standard CRUD flow).<br>
> >><br>
> >> Here is a little cURL based flow:<br>
> >><br>
> >><br>
> >> <<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login</a>>Login:<br>
> >><br>
> >> |curl -v -b cookies.txt -c cookies.txt<br>
> >> -H"Accept: application/json" -H"Content-type:<br>
> application/json"<br>
> >> -X POST<br>
> >> -d'{"loginName":"admin","password":"123"}'<br>
> >> <a href="http://localhost:8080/ag-push/rest/auth/login" target="_blank">http://localhost:8080/ag-push/rest/auth/login</a><br>
> >> |<br>
> >><br>
> >><br>
> >><br>
> <<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp</a>>Create<br>
> >> new PushApp:<br>
> >><br>
> >> |curl -v -b cookies.txt -c cookies.txt -v<br>
> >> -H"Accept: application/json" -H"Content-type:<br>
> application/json"<br>
> >> -X POST<br>
> >> -d'{"name" :"MyApp","description" :"awesome app" }'<br>
> >> <a href="http://localhost:8080/ag-push/rest/applications" target="_blank">http://localhost:8080/ag-push/rest/applications</a><br>
> >> |<br>
> >><br>
> >><br>
> >><br>
> <<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it</a>>Create<br>
> >> Variant (here SimplePush) for it:<br>
> >><br>
> >> |curl -v -b cookies.txt -c cookies.txt -v<br>
> >> -H"Accept: application/json" -H"Content-type:<br>
> application/json"<br>
> >> -X POST<br>
> >> -d'{"pushNetworkURL" :"<a href="http://localhost:7777/endpoint/" target="_blank">http://localhost:7777/endpoint/</a>"}'<br>
> >><br>
> <a href="http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush" target="_blank">http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush</a><br>
> <<a href="http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush" target="_blank">http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush</a>><br>
> >> |<br>
> >><br>
> >><br>
> >><br>
> <<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications</a>>Sending<br>
> >> Push Notifications<br>
> >><br>
> >> When a PushApplication is created, it will get a GENERATED<br>
> >> /PUSH-APP-ID/ (like before) and it will also have a generated<br>
> >> /master secret/. For sending (NOW) you need HTTP BASIC auth<br>
> >> against the SENDER HTTP interface:<br>
> >><br>
> >> |curl -u"{PushApplicationID}:{MasterSecret}"<br>
> >> -v -H"Accept: application/json" -H"Content-type:<br>
> application/json"<br>
> >> -X POST<br>
> >><br>
> -d'{"key":"value","alert":"HELLO!","sound":"default","badge":7,<br>
> >> "simple-push":"version=123"}'<br>
> >><br>
> >> <a href="http://localhost:8080/ag-push/rest/sender/broadcast" target="_blank">http://localhost:8080/ag-push/rest/sender/broadcast</a><br>
> >> |<br>
> >><br>
> >> The user is a combination of PushApplicationID:MasterSecret,<br>
> hence<br>
> >> no need to include the PushApplicationID on the URL.....<br>
> >><br>
> >><br>
> >><br>
> <<a href="https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration" target="_blank">https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration</a>>Device<br>
> >> Registration<br>
> >><br>
> >> When a MobileVariant is created, it will get a GENERATED<br>
> >> /VARIANT-ID/ (like before) and it will have a generated "variant<br>
> >> secret" (valid ONLY!!! for that variant). Now a device needs to<br>
> >> perform HTTP basic against that server, in order to register<br>
> itself:<br>
> >><br>
> >> An Android (cURL) example:<br>
> >><br>
> >> |curl -u"{MobileVariantID}:{secret}"<br>
> >> -v -H"Accept: application/json" -H"Content-type:<br>
> application/json"<br>
> >> -X POST<br>
> >> -d'{<br>
> >> "deviceToken" :"someTokenString",<br>
> >> "deviceType" :"ANDROID",<br>
> >> "mobileOperatingSystem" :"android",<br>
> >> "osVersion" :"4.0.1"<br>
> >> }'<br>
> >><br>
> >> <a href="http://localhost:8080/ag-push/rest/registry/device" target="_blank">http://localhost:8080/ag-push/rest/registry/device</a><br>
> >> |<br>
> >><br>
> >> The user is a combination of MobileVariantID:MasterSecret, hence<br>
> >> no need to include the MobileVariantID (was a http header in the<br>
> >> past).<br>
> >><br>
> >> The work lives on a branch for now:<br>
> >><br>
> <a href="https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security" target="_blank">https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security</a><br>
> >><br>
> >><br>
> >> FYI, the iOS SDK has been updated to reflect that:<br>
> >><br>
> <a href="https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07" target="_blank">https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07</a><br>
> >><br>
> >><br>
> >> --<br>
> >> Matthias Wessendorf<br>
> >><br>
> >> blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> >> sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> >> twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
> >> _______________________________________________<br>
> >> aerogear-dev mailing list<br>
> >> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>><br>
</div></div>> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<div class="im">> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>>><br>
> >> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > aerogear-dev mailing list<br>
> > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>><br>
</div>> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<div class="im">> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>>><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > aerogear-dev mailing list<br>
> > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
><br>
</div><div class="im">> --<br>
> abstractj<br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
</div>> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> <mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>><br>
<div class="HOEnZb"><div class="h5">> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Matthias Wessendorf<br>
><br>
> blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
--<br>
abstractj<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>