[aerogear-dev] Initial Security for AeroGear UnifiedPush
Bruno Oliveira
bruno at abstractj.org
Wed Jun 19 05:56:55 EDT 2013
Thanks Sebi, I'll look at this.
Sebastien Blanc wrote:
> FYI,
>
> A "security" Java Sender branch has also been pushed :
> https://github.com/aerogear/aerogear-unified-push-java-client/tree/security
> It's using preemptive Basic Http Authentification but we will switch to
> a more "classic" flow when AGPUSH-99 will be resolved.
>
> Like Matthias said is "all in progress" work but "Push early, Push often"
>
>
>
>
> On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis <cvasilak at gmail.com
> <mailto:cvasilak at gmail.com>> wrote:
>
> looks great!
>
> On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf <matzew at apache.org
> <mailto:matzew at apache.org>> wrote:
>
>> Hi,
>>
>> I worked a bit on the initial security, after Bruno release the
>> 1.0.1 versions of AG-Security.
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants>Management
>> of PushApplications and MobileVariants
>>
>> Adding a (simple) /DEVELOPER/ class (just that, no /fancy/ roles yet).
>> This is powered by AG-Security and the very wellknown
>> "login"/"logout" will be used (and soon "enroll" for new users).
>>
>> A /DEVELOPER/ is allowed to create/manage PushApplications and
>> MobileVariants (including the standard CRUD flow).
>>
>> Here is a little cURL based flow:
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login:
>>
>> |curl -v -b cookies.txt -c cookies.txt
>> -H"Accept: application/json" -H"Content-type: application/json"
>> -X POST
>> -d'{"loginName":"admin","password":"123"}'
>> http://localhost:8080/ag-push/rest/auth/login
>> |
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp>Create
>> new PushApp:
>>
>> |curl -v -b cookies.txt -c cookies.txt -v
>> -H"Accept: application/json" -H"Content-type: application/json"
>> -X POST
>> -d'{"name" :"MyApp","description" :"awesome app" }'
>> http://localhost:8080/ag-push/rest/applications
>> |
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it>Create
>> Variant (here SimplePush) for it:
>>
>> |curl -v -b cookies.txt -c cookies.txt -v
>> -H"Accept: application/json" -H"Content-type: application/json"
>> -X POST
>> -d'{"pushNetworkURL" :"http://localhost:7777/endpoint/"}'
>> http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush <http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush>
>> |
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications>Sending
>> Push Notifications
>>
>> When a PushApplication is created, it will get a GENERATED
>> /PUSH-APP-ID/ (like before) and it will also have a generated
>> /master secret/. For sending (NOW) you need HTTP BASIC auth
>> against the SENDER HTTP interface:
>>
>> |curl -u"{PushApplicationID}:{MasterSecret}"
>> -v -H"Accept: application/json" -H"Content-type: application/json"
>> -X POST
>> -d'{"key":"value","alert":"HELLO!","sound":"default","badge":7,
>> "simple-push":"version=123"}'
>>
>> http://localhost:8080/ag-push/rest/sender/broadcast
>> |
>>
>> The user is a combination of PushApplicationID:MasterSecret, hence
>> no need to include the PushApplicationID on the URL.....
>>
>>
>> <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration>Device
>> Registration
>>
>> When a MobileVariant is created, it will get a GENERATED
>> /VARIANT-ID/ (like before) and it will have a generated "variant
>> secret" (valid ONLY!!! for that variant). Now a device needs to
>> perform HTTP basic against that server, in order to register itself:
>>
>> An Android (cURL) example:
>>
>> |curl -u"{MobileVariantID}:{secret}"
>> -v -H"Accept: application/json" -H"Content-type: application/json"
>> -X POST
>> -d'{
>> "deviceToken" :"someTokenString",
>> "deviceType" :"ANDROID",
>> "mobileOperatingSystem" :"android",
>> "osVersion" :"4.0.1"
>> }'
>>
>> http://localhost:8080/ag-push/rest/registry/device
>> |
>>
>> The user is a combination of MobileVariantID:MasterSecret, hence
>> no need to include the MobileVariantID (was a http header in the
>> past).
>>
>> The work lives on a branch for now:
>> https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security
>>
>>
>> FYI, the iOS SDK has been updated to reflect that:
>> https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07
>>
>>
>> --
>> Matthias Wessendorf
>>
>> blog: http://matthiaswessendorf.wordpress.com/
>> sessions: http://www.slideshare.net/mwessendorf
>> twitter: http://twitter.com/mwessendorf
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
More information about the aerogear-dev
mailing list