Basic/Digest issue with the Controller or AG Security?
by Matthias Wessendorf
Hi,
when looking into HTTP Basic/Digest for iOS, Christos noticed a problem
with that, on the Controller demo (using AG-Security).
I have checked his issues and they are "visible" in cURL "environment" as
well.
Steps to reproduce
- Clone the AG-Controller
demo<https://github.com/aerogear/aerogear-controller-demo>
- Update the web.xml to use the BASIC Filter
(here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main...>
and here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main...>
).
- Make *SURE* that the Digiest section is commented out :-)
- Deploy the WAR to your JBoss Application Server
Now some tests with BASIC (and the default user john:123):
curl -u "john:123" "http://localhost:8080/aerogear-controller-demo/autobots" -v
This works, as expected!
curl -u "john:007" "http://localhost:8080/aerogear-controller-demo/autobots" -v
This does *NOT* work, as expected!
<https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies->Cookies ?
Christos and I noticed the server does return the Set-Cookie: response
header, so the cookie can/will be stored on the client.
Now let's do this:
curl --basic -b cookies.txt -c cookies.txt -u john:123 \
"http://localhost:8080/aerogear-controller-demo/autobots" -v
Perfect, works as well
But now, let's do this:
curl --basic -b cookies.txt -c cookies.txt -u john:007 \
"http://localhost:8080/aerogear-controller-demo/autobots" -v
Unfortunatley, this works as well, since the session is reused, due to the
cookies... So, when the session is stored on the client, it is possible to
switch the credentials "on the fly".
<https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments>Question
/ Comments
-
Not really sure, but for Basic/Digest should the server really send
Set-Cookie: response header back to the client ?
-
Not sure this is something on the controller, AG-Security or even
PicketLink, but perhaps theSet-Cookie: could be removed, when sending
the response for Basic/Digest
Ant thoughts on this ?
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
11 years, 5 months
AeroGear Controller 1.0.1 Staged
by Bruno Oliveira
Hi peeps, AeroGear Controller 1.0.1 was staged under
https://repository.jboss.org/nexus/content/repositories/jboss_releases_st...
profile.
Have fun and let me know if you find any issue. I'm planning to release
it on Thursday.
- Changelog
* Merge branch 'AEROGEAR-1257'
* Controller should never return the body into a request with OPTIONS
enabled
* Merge branch 'AEROGEAR-1058-accept-header-matching'
* Adding Route test for Accept header range.
* Adding 'type/*' support for Responders to match the requested media
type.
* Extracting 'Accept' header will now only extract the media-range
and not any params.
* deprecating this release process
* enable notifications
* Merge branch 'AEROGEAR-1074-default-error-view-bug'
* AEROGEAR-1074 "Default ErrorViewResolver is not in use."
* Merge branch 'AEROGEAR-1031-content-type-consumers'
* Inlining the unmarshalling method call.
* Extracting consumer lookup from extractBody method.
* AEROGEAR-1031 "Controller should inspect Content-Type header"
* Merge branch 'AEROGEAR-1019-advanced-path-params'
* Adding additional tests and asserts.
* Adding checks for matching a config path to a real path.
* AEROGEAR-1019 Adding suppport for advanced path params
* Merge branch 'travis'
* Minimal configuration for travis
* Merge branch 'AEROGEAR-991-constant-params'
* Renaming the string field to stringParam.
* Renaming str -> string
* Adding docs to processPaginatedAnnotation
* Adding javadocs and minor refactoring.
* Renaming ParametersTest -> ParameterExtractorTest
* AEROGEAR-991 "Add support for constant parameters for endpoint
methods."
* Merge branch 'AEROGEAR-1068-next-link'
* AEROGEAR-1068 "Next" link returned when there is not a next page"
* Bump up to 1.0.1
* Merge branch 'AEROGEAR-479-update-iogi'
* Updating iogi to 0.9.2
* Merge branch 'sebastienblanc-AEROGEAR-1006'
* correct indents
* add Type for all request params
* AEROGEAR-1006
--
abstractj
11 years, 5 months
Push Package
by Daniel Passos
Playing with the push server I see that some projects are using
org.aerogear instead of org.jboss.aerogear. Is this correct?
aerogear-unified-push-server
aerogear-unified-push-java-client
aerogear-push-quickstart-backend
Att,
Daniel Passos
11 years, 5 months
Initial Security for AeroGear UnifiedPush
by Matthias Wessendorf
Hi,
I worked a bit on the initial security, after Bruno release the 1.0.1
versions of AG-Security.
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-push...>Management
of PushApplications and MobileVariants
Adding a (simple) *DEVELOPER* class (just that, no *fancy* roles yet).
This is powered by AG-Security and the very wellknown "login"/"logout" will
be used (and soon "enroll" for new users).
A *DEVELOPER* is allowed to create/manage PushApplications and
MobileVariants (including the standard CRUD flow).
Here is a little cURL based flow:
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login:
curl -v -b cookies.txt -c cookies.txt
-H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"loginName": "admin",
"password":"123"}'http://localhost:8080/ag-push/rest/auth/login
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp>Create
new PushApp:
curl -v -b cookies.txt -c cookies.txt -v
-H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"name" : "MyApp", "description" : "awesome app"
}'http://localhost:8080/ag-push/rest/applications
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-her...>Create
Variant (here SimplePush) for it:
curl -v -b cookies.txt -c cookies.txt -v
-H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"pushNetworkURL" :
"http://localhost:7777/endpoint/"}'http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notif...>Sending
Push Notifications
When a PushApplication is created, it will get a GENERATED *PUSH-APP-ID* (like
before) and it will also have a generated *master secret*. For sending
(NOW) you need HTTP BASIC auth against the SENDER HTTP interface:
curl -u "{PushApplicationID}:{MasterSecret}"
-v -H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7,
"simple-push":"version=123"}'
http://localhost:8080/ag-push/rest/sender/broadcast
The user is a combination of PushApplicationID:MasterSecret, hence no need
to include the PushApplicationID on the URL.....
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration>Device
Registration
When a MobileVariant is created, it will get a GENERATED *VARIANT-ID* (like
before) and it will have a generated "variant secret" (valid ONLY!!! for
that variant). Now a device needs to perform HTTP basic against that
server, in order to register itself:
An Android (cURL) example:
curl -u "{MobileVariantID}:{secret}"
-v -H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{
"deviceToken" : "someTokenString",
"deviceType" : "ANDROID",
"mobileOperatingSystem" : "android",
"osVersion" : "4.0.1"
}'
http://localhost:8080/ag-push/rest/registry/device
The user is a combination of MobileVariantID:MasterSecret, hence no need to
include the MobileVariantID (was a http header in the past).
The work lives on a branch for now:
https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-se...
FYI, the iOS SDK has been updated to reflect that:
https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684...
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
11 years, 5 months
iOS - upgrading AFNetworking library
by Christos Vasilakis
Hi,
just a heads up for the current status.
We are in the process of upgrading our underlying networking library that supports 5.0 onwards. We started with the 1.2.1 version but unfortunately a regression bug was discovered that affects our authentication challenge. More details can be found on the library issue here [1].
Neverthless the bug has been fixed in its recent version so we are currently testing 1.3.1
Thanks
Christos
[1] https://github.com/AFNetworking/AFNetworking/issues/1027
11 years, 5 months
Android "push" branch
by Matthias Wessendorf
Trying the push branch, I am getting a little error:
[INFO] ------------------------------------------------------------------------
[INFO] Building AeroGear Android Libary 1.2.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for
com.google.android.gms:google-play-services:apklib:7 is missing, no
dependency information available
[WARNING] The POM for
com.google.android.gms:google-play-services:jar:7 is missing, no
dependency information available
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.314s
[INFO] Finished at: Wed Jun 19 15:37:22 CEST 2013
[INFO] Final Memory: 10M/146M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project aerogear-android: Could not
resolve dependencies for project
org.jboss.aerogear:aerogear-android:apklib:1.2.0-SNAPSHOT: The
following artifacts could not be resolved:
com.google.android.gms:google-play-services:apklib:7,
com.google.android.gms:google-play-services:jar:7: Failure to find
com.google.android.gms:google-play-services:apklib:7 in
https://repository.jboss.org/nexus/content/groups/public-jboss/ was
cached in the local repository, resolution will not be reattempted
until the update interval of jboss-public-repository-group has elapsed
or updates are forced -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with
the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions,
please read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionExce...
Selected branch: push branch
pluto:aerogear-android matzew$ git branch
master
* push
Not sure if that is on my site, but I had to do this:
- In the Android SDK Manager I was installing the 2.1 (API Level 7),
- afterwards did invoke this on the *lovely* maven-android-sdk-deployer:
mvn install -P 2.1
Afterwards the build just worked fine!
Since our README talks about -P .4.1 I am not sure if that's something
here, or more on my site.
I'd be happy to update the doc, if we really require API Level 7 (not sure,
hence the email)
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
11 years, 5 months