June 2013 - aerogear-dev - Jboss List Archives

Basic/Digest issue with the Controller or AG Security?

by Matthias Wessendorf

Hi, when looking into HTTP Basic/Digest for iOS, Christos noticed a problem with that, on the Controller demo (using AG-Security). I have checked his issues and they are "visible" in cURL "environment" as well. Steps to reproduce - Clone the AG-Controller demo<https://github.com/aerogear/aerogear-controller-demo> - Update the web.xml to use the BASIC Filter (here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main...> and here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main...> ). - Make *SURE* that the Digiest section is commented out :-) - Deploy the WAR to your JBoss Application Server Now some tests with BASIC (and the default user john:123): curl -u "john:123" "http://localhost:8080/aerogear-controller-demo/autobots" -v This works, as expected! curl -u "john:007" "http://localhost:8080/aerogear-controller-demo/autobots" -v This does *NOT* work, as expected! <https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies->Cookies ? Christos and I noticed the server does return the Set-Cookie: response header, so the cookie can/will be stored on the client. Now let's do this: curl --basic -b cookies.txt -c cookies.txt -u john:123 \ "http://localhost:8080/aerogear-controller-demo/autobots" -v Perfect, works as well But now, let's do this: curl --basic -b cookies.txt -c cookies.txt -u john:007 \ "http://localhost:8080/aerogear-controller-demo/autobots" -v Unfortunatley, this works as well, since the session is reused, due to the cookies... So, when the session is stored on the client, it is possible to switch the credentials "on the fly". <https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments>Question / Comments - Not really sure, but for Basic/Digest should the server really send Set-Cookie: response header back to the client ? - Not sure this is something on the controller, AG-Security or even PicketLink, but perhaps theSet-Cookie: could be removed, when sending the response for Basic/Digest Ant thoughts on this ? -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf

11 years, 1 month

4
7
0 / 0

Digest Auth Cookie in controller-demo

by Christos Vasilakis

Hi, noticed that doing Digest auth against the controller-demo running in [1] a session cookie is set on the client side. I can reuse the cookie to login with curl (without -u) but wondered if its proper or it's an older version running there? Thanks Christos [1] http://controller-aerogear.rhcloud.com/aerogear-controller-demo/autobots

11 years, 1 month

1
0
0 / 0

AeroGear Controller 1.0.1 Staged

by Bruno Oliveira

Hi peeps, AeroGear Controller 1.0.1 was staged under https://repository.jboss.org/nexus/content/repositories/jboss_releases_st... profile. Have fun and let me know if you find any issue. I'm planning to release it on Thursday. - Changelog * Merge branch 'AEROGEAR-1257' * Controller should never return the body into a request with OPTIONS enabled * Merge branch 'AEROGEAR-1058-accept-header-matching' * Adding Route test for Accept header range. * Adding 'type/*' support for Responders to match the requested media type. * Extracting 'Accept' header will now only extract the media-range and not any params. * deprecating this release process * enable notifications * Merge branch 'AEROGEAR-1074-default-error-view-bug' * AEROGEAR-1074 "Default ErrorViewResolver is not in use." * Merge branch 'AEROGEAR-1031-content-type-consumers' * Inlining the unmarshalling method call. * Extracting consumer lookup from extractBody method. * AEROGEAR-1031 "Controller should inspect Content-Type header" * Merge branch 'AEROGEAR-1019-advanced-path-params' * Adding additional tests and asserts. * Adding checks for matching a config path to a real path. * AEROGEAR-1019 Adding suppport for advanced path params * Merge branch 'travis' * Minimal configuration for travis * Merge branch 'AEROGEAR-991-constant-params' * Renaming the string field to stringParam. * Renaming str -> string * Adding docs to processPaginatedAnnotation * Adding javadocs and minor refactoring. * Renaming ParametersTest -> ParameterExtractorTest * AEROGEAR-991 "Add support for constant parameters for endpoint methods." * Merge branch 'AEROGEAR-1068-next-link' * AEROGEAR-1068 "Next" link returned when there is not a next page" * Bump up to 1.0.1 * Merge branch 'AEROGEAR-479-update-iogi' * Updating iogi to 0.9.2 * Merge branch 'sebastienblanc-AEROGEAR-1006' * correct indents * add Type for all request params * AEROGEAR-1006 -- abstractj

11 years, 1 month

1
1
0 / 0

Push Package

by Daniel Passos

Playing with the push server I see that some projects are using org.aerogear instead of org.jboss.aerogear. Is this correct? aerogear-unified-push-server aerogear-unified-push-java-client aerogear-push-quickstart-backend Att, Daniel Passos

11 years, 1 month

4
6
0 / 0

Initial Security for AeroGear UnifiedPush

by Matthias Wessendorf

Hi, I worked a bit on the initial security, after Bruno release the 1.0.1 versions of AG-Security. <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-push...>Management of PushApplications and MobileVariants Adding a (simple) *DEVELOPER* class (just that, no *fancy* roles yet). This is powered by AG-Security and the very wellknown "login"/"logout" will be used (and soon "enroll" for new users). A *DEVELOPER* is allowed to create/manage PushApplications and MobileVariants (including the standard CRUD flow). Here is a little cURL based flow: <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login: curl -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"loginName": "admin", "password":"123"}'http://localhost:8080/ag-push/rest/auth/login <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp>Create new PushApp: curl -v -b cookies.txt -c cookies.txt -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"name" : "MyApp", "description" : "awesome app" }'http://localhost:8080/ag-push/rest/applications <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-her...>Create Variant (here SimplePush) for it: curl -v -b cookies.txt -c cookies.txt -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"pushNetworkURL" : "http://localhost:7777/endpoint/"}'http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notif...>Sending Push Notifications When a PushApplication is created, it will get a GENERATED *PUSH-APP-ID* (like before) and it will also have a generated *master secret*. For sending (NOW) you need HTTP BASIC auth against the SENDER HTTP interface: curl -u "{PushApplicationID}:{MasterSecret}" -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7, "simple-push":"version=123"}' http://localhost:8080/ag-push/rest/sender/broadcast The user is a combination of PushApplicationID:MasterSecret, hence no need to include the PushApplicationID on the URL..... <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration>Device Registration When a MobileVariant is created, it will get a GENERATED *VARIANT-ID* (like before) and it will have a generated "variant secret" (valid ONLY!!! for that variant). Now a device needs to perform HTTP basic against that server, in order to register itself: An Android (cURL) example: curl -u "{MobileVariantID}:{secret}" -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{ "deviceToken" : "someTokenString", "deviceType" : "ANDROID", "mobileOperatingSystem" : "android", "osVersion" : "4.0.1" }' http://localhost:8080/ag-push/rest/registry/device The user is a combination of MobileVariantID:MasterSecret, hence no need to include the MobileVariantID (was a http header in the past). The work lives on a branch for now: https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-se... FYI, the iOS SDK has been updated to reflect that: https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684... -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf

11 years, 1 month

5
14
0 / 0

iOS - upgrading AFNetworking library

by Christos Vasilakis

Hi, just a heads up for the current status. We are in the process of upgrading our underlying networking library that supports 5.0 onwards. We started with the 1.2.1 version but unfortunately a regression bug was discovered that affects our authentication challenge. More details can be found on the library issue here [1]. Neverthless the bug has been fixed in its recent version so we are currently testing 1.3.1 Thanks Christos [1] https://github.com/AFNetworking/AFNetworking/issues/1027

11 years, 1 month

3
2
0 / 0

CORS: Help needed

by Matthias Wessendorf

Hi, trying to add CORS, to the Server (using RestEasy), I did this: https://github.com/aerogear/aerogear-unified-push-server/commit/7ccb2e7fb (and some more variations.... (e.g. see the comment out "Access-Control-Allow-Origin", where I am returing the EXACT Origin)) Here is a JavaScript sample: http://jsfiddle.net/JY6n4/ Just click on the "Register a device" button, and see the errors in the console.... So, I am always (with the above jsFiddle) getting: Origin http://fiddle.jshell.net is not allowed by Access-Control-Allow-Origin. regardless if I use "*" or "http://fiddle.jshell.net" (explicit Origin), on the "Access-Control-Allow-Origin". I always thought that "*" is a wildcard.... allowing everybody and their mother to access the server. BTW. This happens with jQuery _and_ vanilla.js (XHR)..... So....... I am really overasked, but ... is it possible that the response is correct (at least the setup / my src), but that RestEasy has any problems with that stuff ?? A few more eyes are highly appreciated on this "issue". thanks!! Matthias -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf

11 years, 1 month

4
10
0 / 0

Android "push" branch

by Matthias Wessendorf

Trying the push branch, I am getting a little error: [INFO] ------------------------------------------------------------------------ [INFO] Building AeroGear Android Libary 1.2.0-SNAPSHOT [INFO] ------------------------------------------------------------------------ [WARNING] The POM for com.google.android.gms:google-play-services:apklib:7 is missing, no dependency information available [WARNING] The POM for com.google.android.gms:google-play-services:jar:7 is missing, no dependency information available [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 3.314s [INFO] Finished at: Wed Jun 19 15:37:22 CEST 2013 [INFO] Final Memory: 10M/146M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal on project aerogear-android: Could not resolve dependencies for project org.jboss.aerogear:aerogear-android:apklib:1.2.0-SNAPSHOT: The following artifacts could not be resolved: com.google.android.gms:google-play-services:apklib:7, com.google.android.gms:google-play-services:jar:7: Failure to find com.google.android.gms:google-play-services:apklib:7 in https://repository.jboss.org/nexus/content/groups/public-jboss/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss-public-repository-group has elapsed or updates are forced -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionExce... Selected branch: push branch pluto:aerogear-android matzew$ git branch master * push Not sure if that is on my site, but I had to do this: - In the Android SDK Manager I was installing the 2.1 (API Level 7), - afterwards did invoke this on the *lovely* maven-android-sdk-deployer: mvn install -P 2.1 Afterwards the build just worked fine! Since our README talks about -P .4.1 I am not sure if that's something here, or more on my site. I'd be happy to update the doc, if we really require API Level 7 (not sure, hence the email) -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf

11 years, 1 month

2
6
0 / 0

JS Notifier JIRA's

by Lucas Holmquist

peeps, Now that i'm back to the real world( no more keynote demo ), I've been doing some docs for our JS Notifier adapters, i've filed some JIRA's on things that i've found. Not really big issues, I can fix them easily. I know everyone is busy, but i just wanted to see what others thought https://issues.jboss.org/browse/AGJS-39 https://issues.jboss.org/browse/AGJS-38 https://issues.jboss.org/browse/AGJS-37 -Luke

11 years, 1 month

1
0
0 / 0

Push Authentication

by Daniel Passos

Howdy Can someone tell me why push server authentication uses "loginName"[1] instead of "username" like TODO, controller-demo, etc... All libs Android[2], iOS[3] and JavaScript[4] on authentication expect username/password Thoughts? [1] https://github.com/aerogear/aerogear-unified-push-server/commit/052c93f48... [2] https://github.com/aerogear/aero-gearandroid/blob/master/src/org/jboss/ae... [3] https://github.com/aerogear/aerogear-ios/blob/master/AeroGear-iOS/AeroGea... [4] https://github.com/aerogear/aerogear-js/blob/master/src/authentication/ad...

11 years, 1 month

6
8
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

aerogear-dev June 2013