[aerogear-dev] Initial Security for AeroGear UnifiedPush

Bruno Oliveira bruno at abstractj.org
Wed Jun 19 05:56:55 EDT 2013


Thanks Sebi, I'll look at this.

Sebastien Blanc wrote:
> FYI,
>
> A "security" Java Sender branch has also been pushed :
> https://github.com/aerogear/aerogear-unified-push-java-client/tree/security
> It's using preemptive Basic Http Authentification but we will switch to
> a more "classic" flow when AGPUSH-99 will be resolved.
>
> Like Matthias said is "all in progress" work but "Push early, Push often"
>
>
>
>
> On Wed, Jun 19, 2013 at 8:38 AM, Christos Vasilakis <cvasilak at gmail.com
> <mailto:cvasilak at gmail.com>> wrote:
>
>     looks great!
>
>     On Jun 17, 2013, at 3:52 PM, Matthias Wessendorf <matzew at apache.org
>     <mailto:matzew at apache.org>> wrote:
>
>>     Hi,
>>
>>     I worked a bit on the initial security, after Bruno release the
>>     1.0.1 versions of AG-Security.
>>
>>
>>         <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#management-of-pushapplications-and-mobilevariants>Management
>>         of PushApplications and MobileVariants
>>
>>     Adding a (simple) /DEVELOPER/ class (just that, no /fancy/ roles yet).
>>     This is powered by AG-Security and the very wellknown
>>     "login"/"logout" will be used (and soon "enroll" for new users).
>>
>>     A /DEVELOPER/ is allowed to create/manage PushApplications and
>>     MobileVariants (including the standard CRUD flow).
>>
>>     Here is a little cURL based flow:
>>
>>
>>             <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#login>Login:
>>
>>     |curl -v -b cookies.txt -c cookies.txt
>>        -H"Accept: application/json"  -H"Content-type: application/json"
>>        -X POST
>>        -d'{"loginName":"admin","password":"123"}'
>>     http://localhost:8080/ag-push/rest/auth/login
>>     |
>>
>>
>>             <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-new-pushapp>Create
>>             new PushApp:
>>
>>     |curl -v -b cookies.txt -c cookies.txt -v
>>        -H"Accept: application/json"  -H"Content-type: application/json"
>>        -X POST
>>        -d'{"name"  :"MyApp","description"  :"awesome app"  }'
>>     http://localhost:8080/ag-push/rest/applications
>>     |
>>
>>
>>             <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#create-variant-here-simplepush-for-it>Create
>>             Variant (here SimplePush) for it:
>>
>>     |curl -v -b cookies.txt -c cookies.txt -v
>>        -H"Accept: application/json"  -H"Content-type: application/json"
>>        -X POST
>>        -d'{"pushNetworkURL"  :"http://localhost:7777/endpoint/"}'
>>     http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush  <http://localhost:8080/ag-push/rest/applications/%7BPUSH_APP_ID%7D/simplePush>
>>     |
>>
>>
>>         <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#sending-push-notifications>Sending
>>         Push Notifications
>>
>>     When a PushApplication is created, it will get a GENERATED
>>     /PUSH-APP-ID/ (like before) and it will also have a generated
>>     /master secret/. For sending (NOW) you need HTTP BASIC auth
>>     against the SENDER HTTP interface:
>>
>>     |curl -u"{PushApplicationID}:{MasterSecret}"
>>         -v -H"Accept: application/json"  -H"Content-type: application/json"
>>         -X POST
>>         -d'{"key":"value","alert":"HELLO!","sound":"default","badge":7,
>>             "simple-push":"version=123"}'
>>
>>     http://localhost:8080/ag-push/rest/sender/broadcast
>>     |
>>
>>     The user is a combination of PushApplicationID:MasterSecret, hence
>>     no need to include the PushApplicationID on the URL.....
>>
>>
>>         <https://gist.github.com/anonymous/b82b7bb1b2d1ab36f92d#device-registration>Device
>>         Registration
>>
>>     When a MobileVariant is created, it will get a GENERATED
>>     /VARIANT-ID/ (like before) and it will have a generated "variant
>>     secret" (valid ONLY!!! for that variant). Now a device needs to
>>     perform HTTP basic against that server, in order to register itself:
>>
>>     An Android (cURL) example:
>>
>>     |curl -u"{MobileVariantID}:{secret}"
>>         -v -H"Accept: application/json"  -H"Content-type: application/json"
>>         -X POST
>>         -d'{
>>            "deviceToken"  :"someTokenString",
>>            "deviceType"  :"ANDROID",
>>            "mobileOperatingSystem"  :"android",
>>            "osVersion"  :"4.0.1"
>>          }'
>>
>>     http://localhost:8080/ag-push/rest/registry/device
>>     |
>>
>>     The user is a combination of MobileVariantID:MasterSecret, hence
>>     no need to include the MobileVariantID (was a http header in the
>>     past).
>>
>>     The work lives on a branch for now:
>>     https://github.com/aerogear/aerogear-unified-push-server/tree/endpoint-security
>>
>>
>>     FYI, the iOS SDK has been updated to reflect that:
>>     https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07
>>
>>
>>     --
>>     Matthias Wessendorf
>>
>>     blog: http://matthiaswessendorf.wordpress.com/
>>     sessions: http://www.slideshare.net/mwessendorf
>>     twitter: http://twitter.com/mwessendorf
>>     _______________________________________________
>>     aerogear-dev mailing list
>>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>     _______________________________________________
>     aerogear-dev mailing list
>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-- 
abstractj



More information about the aerogear-dev mailing list