[aerogear-dev] Initial Security for AeroGear UnifiedPush

Christos Vasilakis cvasilak at gmail.com
Wed Jun 19 02:38:37 EDT 2013


looks great!

On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf <matzew at apache.org> wrote:

> Hi,
> 
> I worked a bit on the initial security, after Bruno release the 1.0.1 versions of AG-Security.
> 
> Management of PushApplications and MobileVariants
> 
> Adding a (simple) DEVELOPER class (just that, no fancy roles yet).
> This is powered by AG-Security and the very wellknown "login"/"logout" will be used (and soon "enroll" for new users).
> 
> A DEVELOPER is allowed to create/manage PushApplications and MobileVariants (including the standard CRUD flow).
> 
> Here is a little cURL based flow:
> 
> Login:
> 
> curl -v -b cookies.txt -c cookies.txt
>   -H "Accept: application/json" -H "Content-type: application/json"
>   -X POST 
>   -d '{"loginName": "admin", "password":"123"}'
> http://localhost:8080/ag-push/rest/auth/login
> Create new PushApp:
> 
> curl -v -b cookies.txt -c cookies.txt -v 
>   -H "Accept: application/json" -H "Content-type: application/json" 
>   -X POST 
>   -d '{"name" : "MyApp", "description" :  "awesome app" }'
> http://localhost:8080/ag-push/rest/applications
> Create Variant (here SimplePush) for it:
> 
> curl -v -b cookies.txt -c cookies.txt -v 
>   -H "Accept: application/json" -H "Content-type: application/json" 
>   -X POST 
>   -d '{"pushNetworkURL" : "http://localhost:7777/endpoint/"}'
> http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush
> Sending Push Notifications
> 
> When a PushApplication is created, it will get a GENERATED PUSH-APP-ID (like before) and it will also have a generated master secret. For sending (NOW) you need HTTP BASIC auth against the SENDER HTTP interface:
> 
> curl -u "{PushApplicationID}:{MasterSecret}"
>    -v -H "Accept: application/json" -H "Content-type: application/json" 
>    -X POST
>    -d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7,
>        "simple-push":"version=123"}'
> 
> http://localhost:8080/ag-push/rest/sender/broadcast
> The user is a combination of PushApplicationID:MasterSecret, hence no need to include the PushApplicationID on the URL.....
> 
> Device Registration
> 
> When a MobileVariant is created, it will get a GENERATED VARIANT-ID (like before) and it will have a generated "variant secret" (valid ONLY!!! for that variant). Now a device needs to perform HTTP basic against that server, in order to register itself:
> 
> An Android (cURL) example:
> 
> curl -u "{MobileVariantID}:{secret}"
>    -v -H "Accept: application/json" -H "Content-type: application/json" 
>    -X POST
>    -d '{
>       "deviceToken" : "someTokenString", 
>       "deviceType" : "ANDROID", 
>       "mobileOperatingSystem" : "android", 
>       "osVersion" : "4.0.1"
>     }'
> 
> http://localhost:8080/ag-push/rest/registry/device 
> The user is a combination of MobileVariantID:MasterSecret, hence no need to include the MobileVariantID (was a http header in the past).
> 
> The work lives on a branch for now:
> https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security
> 
> 
> FYI, the iOS SDK has been updated to reflect that: https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07
> 
> -- 
> Matthias Wessendorf 
> 
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130619/c0fea3a6/attachment-0001.html 


More information about the aerogear-dev mailing list