<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br><br>Envoyé de mon iPhone</div><div><br>Le 17 juin 2014 à 18:37, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>> a écrit :<br><br></div><blockquote type="cite"><div><div dir="ltr"><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 17, 2014 at 4:26 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Good morning peeps,<br>
<br>
I have a problem to solve which might affect the Sender and<br>
all the related clients.<br>
<br>
Previously, the UPS Sender was protected by the basic authentication<br>
method[1], so anyone in possession of _PushApplicationID_ and<br>
_MasterSecret_ is able to send push messages.<br>
<br>
After the integration with Keycloak now everything under _/rest_<br>
is properly protect by KC which is totally correct. Our sender is under<br>
the same umbrella which means that now Bearer token authentication is<br>
required[2] and Basic authentication won't exist anymore.<br></blockquote><div><br></div><div><br></div><div>The device (un)registration endpoints are hit by this as well (/rest/registry/device/*).<div><br></div><div>
I am wondering if it isn't it possible to keep those URLs protected via HTTP_BASIC, or does the keycloak.js usage deny this?</div><div><br></div><div>On master (plain keycloak; before keycloak.js usage) we are doing an exclude for those URLs:</div>
<div><a href="https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/server/src/main/webapp/WEB-INF/web.xml#L46-L52">https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/server/src/main/webapp/WEB-INF/web.xml#L46-L52</a><br>
</div><div><br></div><div><br></div><div>IMO if possible, keeping these 'exceptions' (or excludes) under HTTP_BASIC would be the simplest solution, as that means none of our client SDKs (Android, iOS, Cordova, Node.js Sender, Java-Sendet etc) would require an update.</div></div></div></div></div></div></blockquote>+9001<div><blockquote type="cite"><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>
<div><br></div><div>-Matthias</div></div><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
The consequence of this is the basic form being presented when you try<br>
to send push notifications[3]. The problem didn't occur before, because<br>
we were just using Basic authentication[4] instead of Bearer tokens.<br>
<br>
Possible solutions:<br>
<br>
1- After the removal of Basic authentication, move _PushApplicationID_<br>
and _MasterSecret to http headers like:<br>
<br>
-H "PushApplicationID: XXXXXX" -H "MasterSecret: 42"<br>
<br>
IMO it sounds correct and reasonable for me.<br>
<br>
2. Create a role specific for the sender like _push-applications_ and<br>
dinamically add _PushApplicationID_ and _MasterSecret on Keycloak where:<br>
<br>
username: _PushApplicationID_<br>
password: _MasterSecret_<br>
<br>
The implications of this alternative is the fact of have to manage those<br>
credentials on the server side inclusion/exclusion/login<br>
<br>
3. Implement another authentication provider specifically for the sender<br>
and Basic authentication[5]<br>
<br>
4. Do nothing. The consequences of this alternative is to implement<br>
everything already done by Keycloak.js and manage session tokens by hand<br>
on the admin-ui.<br>
<br>
To me the first alternative seems to be more simple, but I really want<br>
your feedback on it, once it affects the whole project.<br>
<br>
[1] -<br>
<a href="https://github.com/aerogear/aerogear-unifiedpush-server/blob/6c1a0d3fedea8fb6ba918009fd8e9785779c151f/jaxrs/src/main/java/org/jboss/aerogear/unifiedpush/rest/sender/PushNotificationSenderEndpoint.java#L56" target="_blank">https://github.com/aerogear/aerogear-unifiedpush-server/blob/6c1a0d3fedea8fb6ba918009fd8e9785779c151f/jaxrs/src/main/java/org/jboss/aerogear/unifiedpush/rest/sender/PushNotificationSenderEndpoint.java#L56</a><br>
<br>
[2] -<br>
<a href="https://github.com/abstractj/aerogear-unifiedpush-server/tree/keycloak.js" target="_blank">https://github.com/abstractj/aerogear-unifiedpush-server/tree/keycloak.js</a><br>
[3] -<br>
<a href="http://photon.abstractj.org/AeroGear_UnifiedPush_Server_2014-06-17_10-00-09_2014-06-17_10-00-12.jpg" target="_blank">http://photon.abstractj.org/AeroGear_UnifiedPush_Server_2014-06-17_10-00-09_2014-06-17_10-00-12.jpg</a><br>
<br>
[4] -<br>
<a href="https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/server/src/main/webapp/WEB-INF/web.xml#L57" target="_blank">https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/server/src/main/webapp/WEB-INF/web.xml#L57</a><br>
<br>
[5] - <a href="https://github.com/keycloak/keycloak/tree/master/examples/providers/authentication-properties" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/providers/authentication-properties</a><br>
<br>
--<br>
<br>
abstractj<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>aerogear-dev mailing list</span><br><span><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a></span><br><span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></span></div></blockquote></div></body></html>