On Wed, Jun 19, 2013 at 5:47 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
Hi Matthias I have some questions.

Matthias Wessendorf wrote:
> FYI
>
> JIRAs for the "initial" security work:
>
>
> All the endpoints are now secured:
> https://issues.jboss.org/browse/AGPUSH-59
>
> Details on the actual enpoints, on the AGSEC JIRA:
>

For the endpoints below.

> Enpoint for Push Apps is secure (using AG-Security):
> https://issues.jboss.org/browse/AGSEC-51

Why?

-
https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L52

-
https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L74

-
https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L84

-
https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L102

-
https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/PushApplicationEndpoint.java#L131


>
> Enpoint for {Android|iOS|SimplePush} Variants is secure (using AG-Security):
> https://issues.jboss.org/browse/AGSEC-52

https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/AndroidVariantEndpoint.java#L67

Well the same to the rest of the code and endpoints. Why are we doing
it? As far as I know we just introduced an interceptor for it:

https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/cdi/interceptor/SecurityInterceptor.java#L50

Which could be used with:

@Secure({admin, developer})
public void myPrettyEndpoint(){}

If I'm reading it correctly, you're not checking for which roles the
current logged in user has
https://github.com/aerogear/aerogear-unified-push-server/blob/master/src/main/java/org/jboss/aerogear/connectivity/rest/registry/applications/AbstractApplicationRegistrationEndpoint.java#L27


correct - currenlty there are no real different roles. It's (currently) just a "developer".

 



We have 2 alternatives:

- If the interceptors are not a good fit, just delete it

I think I didn't use it, because it throws an RT exception (no problem with that), which I could catch on the RestEasy layer.
Instead of (for unauthorized invokes) returning 401 (to cURL, for instance), it was just "bad request".

So, I went for the "check by code" solution first. Not saying that I am AGAINST the interceptor.

I think on the long run that would be better and cleaner.   


I can give the Interceptor another shot, but not today.

Ok ? 


 
- Refactor the whole group of endpoints to make use of interceptors

Let me know what do you want to do.


>
> Enpoint for Device Registration is secure (Using HTTP Basic):
> https://issues.jboss.org/browse/AGSEC-50
>
> Enpoint for SENDING is secure (Using HTTP Basic):
> https://issues.jboss.org/browse/AGSEC-54
>
>
>
>
> On Wed, Jun 19, 2013 at 11:56 AM, Bruno Oliveira <bruno@abstractj.org
> <mailto:bruno@abstractj.org>> wrote:
>
>     Thanks Sebi, I'll look at this.
>
>     Sebastien Blanc wrote:
>      > FYI,
>      >
>      > A "security" Java Sender branch has also been pushed :
>      >
>     https://github.com/aerogear/aerogear-unified-push-java-client/tree/security
>      > It's using preemptive Basic Http Authentification but we will
>     switch to
>      > a more "classic" flow when AGPUSH-99 will be resolved.
>      >
>      > Like Matthias said is "all in progress" work but "Push early,
>     Push often"
>      >
>      >
>      >
>      >
>      > On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis
>     <cvasilak@gmail.com <mailto:cvasilak@gmail.com>
>      > <mailto:cvasilak@gmail.com <mailto:cvasilak@gmail.com>>> wrote:
>      >
>      >     looks great!
>      >
>      >     On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf
>     <matzew@apache.org <mailto:matzew@apache.org>
>      > <mailto:matzew@apache.org <mailto:matzew@apache.org>>> wrote:
>      >
>      >>     Hi,
>      >>
>      >>     I worked a bit on the initial security, after Bruno release the
>      >>     1.0.1 versions of AG-Security.
>      >>
>      >>
>      >>
>     <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants>Management
>      >>         of PushApplications and MobileVariants
>      >>
>      >>     Adding a (simple) /DEVELOPER/ class (just that, no /fancy/
>     roles yet).
>      >>     This is powered by AG-Security and the very wellknown
>      >> "login"/"logout" will be used (and soon "enroll" for new users).
>      >>
>      >>     A /DEVELOPER/ is allowed to create/manage PushApplications and
>      >>     MobileVariants (including the standard CRUD flow).
>      >>
>      >>     Here is a little cURL based flow:
>      >>
>      >>
>      >> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login:
>      >>
>      >>     |curl -v -b cookies.txt -c cookies.txt
>      >>        -H"Accept: application/json"  -H"Content-type:
>     application/json"
>      >>        -X POST
>      >>        -d'{"loginName":"admin","password":"123"}'
>      >> http://localhost:8080/ag-push/rest/auth/login
>      >>     |
>      >>
>      >>
>      >>
>     <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp>Create
>      >>             new PushApp:
>      >>
>      >>     |curl -v -b cookies.txt -c cookies.txt -v
>      >>        -H"Accept: application/json"  -H"Content-type:
>     application/json"
>      >>        -X POST
>      >>        -d'{"name"  :"MyApp","description"  :"awesome app"  }'
>      >> http://localhost:8080/ag-push/rest/applications
>      >>     |
>      >>
>      >>
>      >>
>     <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it>Create
>      >>             Variant (here SimplePush) for it:
>      >>
>      >>     |curl -v -b cookies.txt -c cookies.txt -v
>      >>        -H"Accept: application/json"  -H"Content-type:
>     application/json"
>      >>        -X POST
>      >>        -d'{"pushNetworkURL"  :"http://localhost:7777/endpoint/"}'
>      >>
>     http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush
>     <http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush>
>      >>     |
>      >>
>      >>
>      >>
>     <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications>Sending
>      >>         Push Notifications
>      >>
>      >>     When a PushApplication is created, it will get a GENERATED
>      >>     /PUSH-APP-ID/ (like before) and it will also have a generated
>      >>     /master secret/. For sending (NOW) you need HTTP BASIC auth
>      >>     against the SENDER HTTP interface:
>      >>
>      >>     |curl -u"{PushApplicationID}:{MasterSecret}"
>      >>         -v -H"Accept: application/json"  -H"Content-type:
>     application/json"
>      >>         -X POST
>      >>
>     -d'{"key":"value","alert":"HELLO!","sound":"default","badge":7,
>      >> "simple-push":"version=123"}'
>      >>
>      >> http://localhost:8080/ag-push/rest/sender/broadcast
>      >>     |
>      >>
>      >>     The user is a combination of PushApplicationID:MasterSecret,
>     hence
>      >>     no need to include the PushApplicationID on the URL.....
>      >>
>      >>
>      >>
>     <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration>Device
>      >>         Registration
>      >>
>      >>     When a MobileVariant is created, it will get a GENERATED
>      >>     /VARIANT-ID/ (like before) and it will have a generated "variant
>      >>     secret" (valid ONLY!!! for that variant). Now a device needs to
>      >>     perform HTTP basic against that server, in order to register
>     itself:
>      >>
>      >>     An Android (cURL) example:
>      >>
>      >>     |curl -u"{MobileVariantID}:{secret}"
>      >>         -v -H"Accept: application/json"  -H"Content-type:
>     application/json"
>      >>         -X POST
>      >>         -d'{
>      >> "deviceToken"  :"someTokenString",
>      >> "deviceType"  :"ANDROID",
>      >> "mobileOperatingSystem"  :"android",
>      >> "osVersion"  :"4.0.1"
>      >>          }'
>      >>
>      >> http://localhost:8080/ag-push/rest/registry/device
>      >>     |
>      >>
>      >>     The user is a combination of MobileVariantID:MasterSecret, hence
>      >>     no need to include the MobileVariantID (was a http header in the
>      >>     past).
>      >>
>      >>     The work lives on a branch for now:
>      >>
>     https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security
>      >>
>      >>
>      >>     FYI, the iOS SDK has been updated to reflect that:
>      >>
>     https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07
>      >>
>      >>
>      >>     --
>      >>     Matthias Wessendorf
>      >>
>      >>     blog: http://matthiaswessendorf.wordpress.com/
>      >>     sessions: http://www.slideshare.net/mwessendorf
>      >>     twitter: http://twitter.com/mwessendorf
>      >>     _______________________________________________
>      >>     aerogear-dev mailing list
>      >> aerogear-dev@lists.jboss.org
>     <mailto:aerogear-dev@lists.jboss.org>
>     <mailto:aerogear-dev@lists.jboss.org
>     <mailto:aerogear-dev@lists.jboss.org>>
>      >> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>      >
>      >
>      >     _______________________________________________
>      >     aerogear-dev mailing list
>      > aerogear-dev@lists.jboss.org
>     <mailto:aerogear-dev@lists.jboss.org>
>     <mailto:aerogear-dev@lists.jboss.org
>     <mailto:aerogear-dev@lists.jboss.org>>
>      > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>      >
>      >
>      > _______________________________________________
>      > aerogear-dev mailing list
>      > aerogear-dev@lists.jboss.org <mailto:aerogear-dev@lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>     --
>     abstractj
>
>     _______________________________________________
>     aerogear-dev mailing list
>     aerogear-dev@lists.jboss.org <mailto:aerogear-dev@lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

--
abstractj

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf