[aerogear-dev] Security on AeroGear
Kris Borchers
kborcher at redhat.com
Tue Jul 2 11:12:57 EDT 2013
Thanks for the back and forth guys. This helped me understand the questions I didn't even know I needed to ask! ;)
+1 from me as well
On Jul 2, 2013, at 9:43, Matthias Wessendorf <matzew at apache.org> wrote:
>
>
>
> On Tue, Jul 2, 2013 at 4:35 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
>> Ahoy
>>
>> Matthias Wessendorf wrote:
>> > >
>> > > On Tue, Jul 2, 2013 at 11:48 AM, Bruno Oliveira
>> > <bruno at abstractj.org <mailto:bruno at abstractj.org>
>> > > <mailto:bruno at abstractj.org <mailto:bruno at abstractj.org>>> wrote:
>> > >
>> > > Good morning everyone, I'm planning to include JWS (to add
>> > digital
>> > > signatures per mobile application)/JWT (to issue a token at each
>> > > transaction or session) support on AeroGear and I was looking
>> > at OAuth2
>> > > bearer token (which make use of JWT/JWS behind the scenes)
>> > > implementation from RESTEasy.
>> > >
>> > > I was reading about how to properly include it and now we have a
>> > > decision to make (we because it will affect the way the
>> > client side and
>> > > security is not an island :). RESTEasy bearer tokens is
>> > completely tied
>> > > to JBoss
>> > >
>> > (http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446)
>> > > and I'm not saying it is a bad thing, but with vert.x, TorqueBox,
>> > > Nodej...I'm not sure if it's a good idea.
>> > >
>> > >
>> > >
>> > > That is because of (from the requirements): "A username/password
>> > based
>> > > JBoss security domain", right?
>> > >
>> >
>> > Nope. This comes from the requirement "add security to AG" :)
>> >
>> >
>> > I was more asking about the "completely tied to JBoss" note.
>> >
>> > Is that because of "...based JBoss security domain" ?
>>
>> Gotcha and yes. You must to setup security constraints on JBoss for it
>> http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1657
>> and quoting the documentation "You must though use FORM authentication"
>> (http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1654)
>>
>> I'm not saying this is wrong, is just the framework design.
>
> Ah...! :) Thanks for the iterations here :) But yes, I agree that we do not want this!
> So a late +1 on your original statement :)
>
>
>
>
>
>
>
>>
>> >
>> > Username/Password are cool, the goal here is to add token between
>> > client/server.
>> >
>> > This token will come with timestamp, in this way if someone
>> > eavesdropping your connection steal your username/password, the token
>> > will be required.
>> >
>> > >
>> > > An example of Bearer Token usage extracted from RFC
>> > > (http://tools.ietf.org/html/rfc6750)
>> > >
>> > > HTTP/1.1 200 OK
>> > > Content-Type: application/json;charset=UTF-8
>> > > Cache-Control: no-store
>> > > Pragma: no-cache
>> > >
>> > > {
>> > > "access_token":"mF_9.B5f-4.1JqM",
>> > > "token_type":"Bearer",
>> > > "expires_in":3600,
>> > > "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
>> > > }
>> > >
>> > > Pros: RESTEasy team already did it
>> > > Cons: The configuration setup might be hard to newcomers
>> > (please look at
>> > > the documentation
>> > >
>> > http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446),
>> > > we will be tied to JBoss.
>> > >
>> > > So, do we have an alternative? Yes.
>> > >
>> > >
>> > > good :-)
>> > >
>> > > Make use of JWT module only from
>> > > RESTEasy
>> > >
>> > >
>> > > you mean only the JWT(==JSON Web Token) - not the "bearer token" ?
>> >
>> > Yes.
>> >
>> >
>> > Ok
>> >
>> >
>> > >
>> > > and we still can benefit of digital signatures and tokens.
>> > >
>> > >
>> > >
>> > > The digital signatures would be still JWS (==JSON Web Signature) ?
>> >
>> > Yup, to avoid confusion:
>> >
>> > - JSON Web signatures: can be used to sign http requests against the
>> > server (do not replace the certificate) and avoid DDoS against the
>> > server, non repudiation
>> >
>> >
>> > sounds good
>> >
>> >
>> > - JSON Web token: another security layer (OPTIONAL). If for some reason
>> > SSL was misconfigured, broken....you still have this layer of security
>> > (this token is time-based, "MACed" and irreversible).
>> >
>> > >
>> > >
>> > > An example of JWT usage extracted from RFC
>> > > (http://tools.ietf.org/html/draft-jones-json-web-token-10#page-6)
>> > >
>> > > {
>> > > "iss":"joe",
>> > > "exp":1300819380,
>> > > "http://example.com/is_root":true
>> > > }
>> > >
>> > > Pros: Flexibility, we have people already doing it
>> > > (https://wiki.mozilla.org/WebAPI/WebPayment).
>> > >
>> > >
>> > > So our "client side" hook could be basically used with that
>> > WebPayment
>> > > thing, right ?
>> >
>> > No.
>> >
>> > Sorry, I should explain that better, this is just an example. We will
>> > not make use of WebPayment API, this is a snippet from Mozilla (I was
>> > giving the credit, instead of just cut & paste. And also showing an
>> > example where JWT is used).
>> >
>> >
>> > :-) I was expecting we are not using the WebPayment.
>> >
>> > Perhaps my question was stupid - let me try again.
>> > If we have the JWT (e.g. on AG-JavaScript), could our bits could be used
>> > against a WebPayment Server ? (not sure if tehre is something).
>>
>> There are no stupid questions, it must be clear to everybody. For
>> authentication and digital signatures I would say, yes.
>
>
> that's cool
>
>>
>> For transactions I doubt it, because they have specific requirements not
>> present on AeroGear like: pricePoint, icons, productData.......(also
>> not present into the specification)
>
>
> yeah, agree - I was more interested in the "digital signatures" part
>>
>> >
>> >
>> > Into our project will be just JWT/JWS implementation with the RESTEasy
>> > module.
>> >
>> >
>> > And since that is "wrapped" by AG-Security, it's not really tied to
>> > JBoss, since
>> > we could have other "adapters", e.g. for Nodej/vert.x ?
>>
>> That's the idea.
>
> sound good. Again +1 on the overall idea, and thanks for explaining!
>
>
>> As far as I know this RESTEasy module is not CDI
>> dependent, so I'd say it's possible.
>
> @Dependent :)
>
> I do not know, but good luck :)
>
>>
>> >
>> >
>> >
>> > >
>> > > We will make use of
>> > > RESTEasy module and do not reinvent the wheel.
>> > >
>> > >
>> > > +1 on reusing existing code. Not sure I fully understand (see my
>> > above
>> > > comments on JWS/JWT :)
>> >
>> > Feel free to ask, sorry for my bad explanation.
>> >
>> >
>> > I guess we are getting there :)
>> >
>> >
>> > >
>> > >
>> > > Cons: The authorization model must be implemented and adapted
>> > to our
>> > > needs
>> > >
>> > >
>> > > That could be done on-top of what we already have for AeroGear
>> > Security ?
>> >
>> > Yup, that's the idea.
>> > >
>> > >
>> > > -Matthias
>> > >
>>
>>
>> --
>> abstractj
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130702/76317972/attachment-0001.html
More information about the aerogear-dev
mailing list