Re: [aerogear-dev] Initial Security for AeroGear UnifiedPush

Thanks Sebi, I'll look at this. Sebastien Blanc wrote: > FYI, > > A "security" Java Sender branch has also been pushed : > https://github.com/aerogear/aerogear-unified-push-java-client/tree/security > It's using preemptive Basic Http Authentification but we will switch to > a more "classic" flow when AGPUSH-99 will be resolved. > > Like Matthias said is "all in progress" work but "Push early, Push often" > > > > > On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis <cvasilak(a)gmail.com > <mailto:cvasilak@gmail.com>> wrote: > > looks great! > > On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf <matzew(a)apache.org > <mailto:matzew@apache.org>> wrote: > >> Hi, >> >> I worked a bit on the initial security, after Bruno release the >> 1.0.1 versions of AG-Security. >> >> >> < https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-push... >Management >> of PushApplications and MobileVariants >> >> Adding a (simple) /DEVELOPER/ class (just that, no /fancy/ roles yet). >> This is powered by AG-Security and the very wellknown >> "login"/"logout" will be used (and soon "enroll" for new users). >> >> A /DEVELOPER/ is allowed to create/manage PushApplications and >> MobileVariants (including the standard CRUD flow). >> >> Here is a little cURL based flow: >> >> >> < https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login: >> >> |curl -v -b cookies.txt -c cookies.txt >> -H"Accept: application/json" -H"Content-type: application/json" >> -X POST >> -d'{"loginName":"admin","password":"123"}' >> http://localhost:8080/ag-push/rest/auth/login >> | >> >> >> < https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp >Create >> new PushApp: >> >> |curl -v -b cookies.txt -c cookies.txt -v >> -H"Accept: application/json" -H"Content-type: application/json" >> -X POST >> -d'{"name" :"MyApp","description" :"awesome app" }' >> http://localhost:8080/ag-push/rest/applications >> | >> >> >> < https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-her... >Create >> Variant (here SimplePush) for it: >> >> |curl -v -b cookies.txt -c cookies.txt -v >> -H"Accept: application/json" -H"Content-type: application/json" >> -X POST >> -d'{"pushNetworkURL" :"http://localhost:7777/endpoint/"}' >> http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush < http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush > >> | >> >> >> < https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notif... >Sending >> Push Notifications >> >> When a PushApplication is created, it will get a GENERATED >> /PUSH-APP-ID/ (like before) and it will also have a generated >> /master secret/. For sending (NOW) you need HTTP BASIC auth >> against the SENDER HTTP interface: >> >> |curl -u"{PushApplicationID}:{MasterSecret}" >> -v -H"Accept: application/json" -H"Content-type: application/json" >> -X POST >> -d'{"key":"value","alert":"HELLO!","sound":"default","badge":7, >> "simple-push":"version=123"}' >> >> http://localhost:8080/ag-push/rest/sender/broadcast >> | >> >> The user is a combination of PushApplicationID:MasterSecret, hence >> no need to include the PushApplicationID on the URL..... >> >> >> < https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration >Device >> Registration >> >> When a MobileVariant is created, it will get a GENERATED >> /VARIANT-ID/ (like before) and it will have a generated "variant >> secret" (valid ONLY!!! for that variant). Now a device needs to >> perform HTTP basic against that server, in order to register itself: >> >> An Android (cURL) example: >> >> |curl -u"{MobileVariantID}:{secret}" >> -v -H"Accept: application/json" -H"Content-type: application/json" >> -X POST >> -d'{ >> "deviceToken" :"someTokenString", >> "deviceType" :"ANDROID", >> "mobileOperatingSystem" :"android", >> "osVersion" :"4.0.1" >> }' >> >> http://localhost:8080/ag-push/rest/registry/device >> | >> >> The user is a combination of MobileVariantID:MasterSecret, hence >> no need to include the MobileVariantID (was a http header in the >> past). >> >> The work lives on a branch for now: >> https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-se... >> >> >> FYI, the iOS SDK has been updated to reflect that: >> https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684... >> >> >> -- >> Matthias Wessendorf >> >> blog: http://matthiaswessendorf.wordpress.com/ >> sessions: http://www.slideshare.net/mwessendorf >> twitter: http://twitter.com/mwessendorf >> _______________________________________________ >> aerogear-dev mailing list >> aerogear-dev(a)lists.jboss.org <mailto:aerogear-dev@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org <mailto:aerogear-dev@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev -- abstractj _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev