[aerogear-dev] Security on AeroGear

Matthias Wessendorf matzew at apache.org
Tue Jul 2 07:05:08 EDT 2013 

Hi Bruno,


On Tue, Jul 2, 2013 at 11:48 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Good morning everyone, I'm planning to include JWS (to add digital
> signatures per mobile application)/JWT (to issue a token at each
> transaction or session) support on AeroGear and I was looking at OAuth2
> bearer token (which make use of JWT/JWS behind the scenes)
> implementation from RESTEasy.
>
> I was reading about how to properly include it and now we have a
> decision to make (we because it will affect the way the client side and
> security is not an island :). RESTEasy bearer tokens is completely tied
> to JBoss
> (
> http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446
> )
> and I'm not saying it is a bad thing, but with vert.x, TorqueBox,
> Nodej...I'm not sure if it's a good idea.
>


That is because of (from the requirements): "A username/password based
JBoss security domain", right?


> An example of Bearer Token usage extracted from RFC
> (http://tools.ietf.org/html/rfc6750)
>
>       HTTP/1.1 200 OK
>       Content-Type: application/json;charset=UTF-8
>       Cache-Control: no-store
>       Pragma: no-cache
>
>       {
>         "access_token":"mF_9.B5f-4.1JqM",
>         "token_type":"Bearer",
>         "expires_in":3600,
>         "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
>       }
>
> Pros: RESTEasy team already did it
> Cons: The configuration setup might be hard to newcomers (please look at
> the documentation
>
> http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446
> ),
> we will be tied to JBoss.
>
> So, do we have an alternative? Yes.


good :-)



> Make use of JWT module only from
> RESTEasy


you mean only the JWT(==JSON Web Token) - not the "bearer token" ?



> and we still can benefit of digital signatures and tokens.
>


The digital signatures would be still JWS (==JSON Web Signature) ?



>
> An example of JWT usage extracted from RFC
> (http://tools.ietf.org/html/draft-jones-json-web-token-10#page-6)
>
> {
>      "iss":"joe",
>      "exp":1300819380,
>      "http://example.com/is_root":true
> }
>
> Pros: Flexibility, we have people already doing it
> (https://wiki.mozilla.org/WebAPI/WebPayment).


So our "client side" hook could be basically used with that WebPayment
thing, right ?



> We will make use of
> RESTEasy module and do not reinvent the wheel.
>

+1 on reusing existing code. Not sure I fully understand (see my above
comments on JWS/JWT :)



>
> Cons: The authorization model must be implemented and adapted to our needs
>

That could be done on-top of what we already have for AeroGear Security ?


-Matthias



>
> So what do you think?
>
> ps: SAML is not an option for me now.
>
> --
> abstractj
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130702/21ed0cfa/attachment.html

More information about the aerogear-dev mailing list