[aerogear-dev] Initial Security for AeroGear UnifiedPush
Matthias Wessendorf
matzew at apache.org
Mon Jun 17 08:52:32 EDT 2013
Hi,
I worked a bit on the initial security, after Bruno release the 1.0.1
versions of AG-Security.
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants>Management
of PushApplications and MobileVariants
Adding a (simple) *DEVELOPER* class (just that, no *fancy* roles yet).
This is powered by AG-Security and the very wellknown "login"/"logout" will
be used (and soon "enroll" for new users).
A *DEVELOPER* is allowed to create/manage PushApplications and
MobileVariants (including the standard CRUD flow).
Here is a little cURL based flow:
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login:
curl -v -b cookies.txt -c cookies.txt
-H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"loginName": "admin",
"password":"123"}'http://localhost:8080/ag-push/rest/auth/login
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp>Create
new PushApp:
curl -v -b cookies.txt -c cookies.txt -v
-H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"name" : "MyApp", "description" : "awesome app"
}'http://localhost:8080/ag-push/rest/applications
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it>Create
Variant (here SimplePush) for it:
curl -v -b cookies.txt -c cookies.txt -v
-H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"pushNetworkURL" :
"http://localhost:7777/endpoint/"}'http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications>Sending
Push Notifications
When a PushApplication is created, it will get a GENERATED *PUSH-APP-ID* (like
before) and it will also have a generated *master secret*. For sending
(NOW) you need HTTP BASIC auth against the SENDER HTTP interface:
curl -u "{PushApplicationID}:{MasterSecret}"
-v -H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7,
"simple-push":"version=123"}'
http://localhost:8080/ag-push/rest/sender/broadcast
The user is a combination of PushApplicationID:MasterSecret, hence no need
to include the PushApplicationID on the URL.....
<https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration>Device
Registration
When a MobileVariant is created, it will get a GENERATED *VARIANT-ID* (like
before) and it will have a generated "variant secret" (valid ONLY!!! for
that variant). Now a device needs to perform HTTP basic against that
server, in order to register itself:
An Android (cURL) example:
curl -u "{MobileVariantID}:{secret}"
-v -H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{
"deviceToken" : "someTokenString",
"deviceType" : "ANDROID",
"mobileOperatingSystem" : "android",
"osVersion" : "4.0.1"
}'
http://localhost:8080/ag-push/rest/registry/device
The user is a combination of MobileVariantID:MasterSecret, hence no need to
include the MobileVariantID (was a http header in the past).
The work lives on a branch for now:
https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security
FYI, the iOS SDK has been updated to reflect that:
https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130617/7120d663/attachment-0001.html
More information about the aerogear-dev
mailing list