Re: [aerogear-dev] Initial Security for AeroGear UnifiedPush

FYI, A "security" Java Sender branch has also been pushed : https://github.com/aerogear/aerogear-unified-push-java-client/tree/security It's using preemptive Basic Http Authentification but we will switch to a more "classic" flow when AGPUSH-99 will be resolved. Like Matthias said is "all in progress" work but "Push early, Push often"

On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis <cvasilak(a)gmail.com&gt;wrote: > looks great! > > On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf <matzew(a)apache.org&gt; > wrote: > > Hi, > > I worked a bit on the initial security, after Bruno release the 1.0.1 > versions of AG-Security. > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-push... > of PushApplications and MobileVariants > > Adding a (simple) *DEVELOPER* class (just that, no *fancy* roles yet). > This is powered by AG-Security and the very wellknown "login"/"logout" > will be used (and soon "enroll" for new users). > > A *DEVELOPER* is allowed to create/manage PushApplications and > MobileVariants (including the standard CRUD flow). > > Here is a little cURL based flow: > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login: > > curl -v -b cookies.txt -c cookies.txt > -H "Accept: application/json" -H "Content-type: application/json" > -X POST > -d '{"loginName": "admin", "password":"123"}'http://localhost:8080/ag-push/rest/auth/login > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp... > new PushApp: > > curl -v -b cookies.txt -c cookies.txt -v > -H "Accept: application/json" -H "Content-type: application/json" > -X POST > -d '{"name" : "MyApp", "description" : "awesome app" }'http://localhost:8080/ag-push/rest/applications > > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-her... > Variant (here SimplePush) for it: > > curl -v -b cookies.txt -c cookies.txt -v > -H "Accept: application/json" -H "Content-type: application/json" > -X POST > -d '{"pushNetworkURL" : "http://localhost:7777/endpoint/"}'http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush > > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notif... > Push Notifications > > When a PushApplication is created, it will get a GENERATED *PUSH-APP-ID* (like > before) and it will also have a generated *master secret*. For sending > (NOW) you need HTTP BASIC auth against the SENDER HTTP interface: > > curl -u "{PushApplicationID}:{MasterSecret}" > -v -H "Accept: application/json" -H "Content-type: application/json" > -X POST > -d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7, > "simple-push":"version=123"}' > http://localhost:8080/ag-push/rest/sender/broadcast > > The user is a combination of PushApplicationID:MasterSecret, hence no > need to include the PushApplicationID on the URL..... > <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registratio... > Registration > > When a MobileVariant is created, it will get a GENERATED *VARIANT-ID* (like > before) and it will have a generated "variant secret" (valid ONLY!!! for > that variant). Now a device needs to perform HTTP basic against that > server, in order to register itself: > > An Android (cURL) example: > > curl -u "{MobileVariantID}:{secret}" > -v -H "Accept: application/json" -H "Content-type: application/json" > -X POST > -d '{ > "deviceToken" : "someTokenString", > "deviceType" : "ANDROID", > "mobileOperatingSystem" : "android", > "osVersion" : "4.0.1" > }' > http://localhost:8080/ag-push/rest/registry/device > > The user is a combination of MobileVariantID:MasterSecret, hence no need > to include the MobileVariantID (was a http header in the past). > > The work lives on a branch for now: > > https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-se... > > > FYI, the iOS SDK has been updated to reflect that: > https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684... > > -- > Matthias Wessendorf > > blog: http://matthiaswessendorf.wordpress.com/ > sessions: http://www.slideshare.net/mwessendorf > twitter: http://twitter.com/mwessendorf > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev > _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev