Re: [aerogear-dev] Initial Security for AeroGear UnifiedPush

FYI, A "security" Java Sender branch has also been pushed : https://github.com/aerogear/aerogear-unified-push-java-client/tree/security It's using preemptive Basic Http Authentification but we will switch to a more "classic" flow when AGPUSH-99 will be resolved. Like Matthias said is "all in progress" work but "Push early, Push often" On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis <cvasilak(a)gmail.com <mailto:cvasilak@gmail.com>> wrote: looks great! On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf <matzew(a)apache.org <mailto:matzew@apache.org>> wrote: > Hi, > > I worked a bit on the initial security, after Bruno release the > 1.0.1 versions of AG-Security. > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-push... > of PushApplications and MobileVariants > > Adding a (simple) /DEVELOPER/ class (just that, no /fancy/ roles yet). > This is powered by AG-Security and the very wellknown > "login"/"logout" will be used (and soon "enroll" for new users). > > A /DEVELOPER/ is allowed to create/manage PushApplications and > MobileVariants (including the standard CRUD flow). > > Here is a little cURL based flow: > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login: > > |curl -v -b cookies.txt -c cookies.txt > -H"Accept: application/json" -H"Content-type: application/json" > -X POST > -d'{"loginName":"admin","password":"123"}' > http://localhost:8080/ag-push/rest/auth/login > | > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp... > new PushApp: > > |curl -v -b cookies.txt -c cookies.txt -v > -H"Accept: application/json" -H"Content-type: application/json" > -X POST > -d'{"name" :"MyApp","description" :"awesome app" }' > http://localhost:8080/ag-push/rest/applications > | > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-her... > Variant (here SimplePush) for it: > > |curl -v -b cookies.txt -c cookies.txt -v > -H"Accept: application/json" -H"Content-type: application/json" > -X POST > -d'{"pushNetworkURL" :"http://localhost:7777/endpoint/"}' > http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush <http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simpleP... > | > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notif... > Push Notifications > > When a PushApplication is created, it will get a GENERATED > /PUSH-APP-ID/ (like before) and it will also have a generated > /master secret/. For sending (NOW) you need HTTP BASIC auth > against the SENDER HTTP interface: > > |curl -u"{PushApplicationID}:{MasterSecret}" > -v -H"Accept: application/json" -H"Content-type: application/json" > -X POST > -d'{"key":"value","alert":"HELLO!","sound":"default","badge":7, > "simple-push":"version=123"}' > > http://localhost:8080/ag-push/rest/sender/broadcast > | > > The user is a combination of PushApplicationID:MasterSecret, hence > no need to include the PushApplicationID on the URL..... > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registratio... > Registration > > When a MobileVariant is created, it will get a GENERATED > /VARIANT-ID/ (like before) and it will have a generated "variant > secret" (valid ONLY!!! for that variant). Now a device needs to > perform HTTP basic against that server, in order to register itself: > > An Android (cURL) example: > > |curl -u"{MobileVariantID}:{secret}" > -v -H"Accept: application/json" -H"Content-type: application/json" > -X POST > -d'{ > "deviceToken" :"someTokenString", > "deviceType" :"ANDROID", > "mobileOperatingSystem" :"android", > "osVersion" :"4.0.1" > }' > > http://localhost:8080/ag-push/rest/registry/device > | > > The user is a combination of MobileVariantID:MasterSecret, hence > no need to include the MobileVariantID (was a http header in the > past). > > The work lives on a branch for now: > https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-se... > > > FYI, the iOS SDK has been updated to reflect that: > https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684... > > > -- > Matthias Wessendorf > > blog: http://matthiaswessendorf.wordpress.com/ > sessions: http://www.slideshare.net/mwessendorf > twitter: http://twitter.com/mwessendorf > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org <mailto:aerogear-dev@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org <mailto:aerogear-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev