Re: [aerogear-dev] Initial Security for AeroGear UnifiedPush

Hi, I worked a bit on the initial security, after Bruno release the 1.0.1 versions of AG-Security. Management of PushApplications and MobileVariants Adding a (simple) DEVELOPER class (just that, no fancy roles yet). This is powered by AG-Security and the very wellknown "login"/"logout" will be used (and soon "enroll" for new users). A DEVELOPER is allowed to create/manage PushApplications and MobileVariants (including the standard CRUD flow). Here is a little cURL based flow: Login: curl -v -b cookies.txt -c cookies.txt -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"loginName": "admin", "password":"123"}' http://localhost:8080/ag-push/rest/auth/login Create new PushApp: curl -v -b cookies.txt -c cookies.txt -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"name" : "MyApp", "description" : "awesome app" }' http://localhost:8080/ag-push/rest/applications Create Variant (here SimplePush) for it: curl -v -b cookies.txt -c cookies.txt -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"pushNetworkURL" : "http://localhost:7777/endpoint/"}' http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush Sending Push Notifications When a PushApplication is created, it will get a GENERATED PUSH-APP-ID (like before) and it will also have a generated master secret. For sending (NOW) you need HTTP BASIC auth against the SENDER HTTP interface: curl -u "{PushApplicationID}:{MasterSecret}" -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7, "simple-push":"version=123"}' http://localhost:8080/ag-push/rest/sender/broadcast The user is a combination of PushApplicationID:MasterSecret, hence no need to include the PushApplicationID on the URL..... Device Registration When a MobileVariant is created, it will get a GENERATED VARIANT-ID (like before) and it will have a generated "variant secret" (valid ONLY!!! for that variant). Now a device needs to perform HTTP basic against that server, in order to register itself: An Android (cURL) example: curl -u "{MobileVariantID}:{secret}" -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{ "deviceToken" : "someTokenString", "deviceType" : "ANDROID", "mobileOperatingSystem" : "android", "osVersion" : "4.0.1" }' http://localhost:8080/ag-push/rest/registry/device The user is a combination of MobileVariantID:MasterSecret, hence no need to include the MobileVariantID (was a http header in the past). The work lives on a branch for now: https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-se... FYI, the iOS SDK has been updated to reflect that: https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684... -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev