[jdf-users] New comment posted on JBoss Developer Framework

Disqus notifications at disqus.net
Wed Jun 5 06:40:48 EDT 2013 


TBorba <tborba at outsoft.pt> wrote, in response to Vineet Reynolds:

Hi and thank you for your comment. 

About serialization, that was my general idea too.

When talking security, I might be biased since my use case is a mix of characteristics both in the "MAY NEED" and "MAY NOT NEED" OAuth, and that's probably the reason I haven't settled yet for a single security framework. 

In short, I have 3 types of WWW distributed entities: 

a) remote client applications e.g. (smartphone app); 
b) a Gateway black box that implements RSA, SSL sockets, and is very static (inserted in a home appliance which relays its industry-specific protocol to the WWW, using a third party electronic component. This is made by my potential client). Basically a provider that can be read and written to, but that is vulnerable to eavesdrop and MITM when publishing ServerSockets. It's also very "critical" (think medical application or home climate);
c:) a central server which manages authentication and keeps mobile clients aware of the gateway's dynamic location (non-static IP from the consumer's internet connection), incoming listening port AND respective socket _public key_. It also hosts a "register/manage appliances" web app with user authentication


Paraphrasing questions from the referenced article:

Hypothesis - "Do you want a central authentication server that manages authentication and authorization for all your web apps?" 
A - Yeap, I will need a website that pretty much uses the same credentials as the services I will deploy for _a)_ (+for OAuth)

Hypothesis - "Do you want the allow users to grant temporary permission for third parties to access services on behalf of them?" 
Although they are indeed temporary, nope since the "services" on the _b)_ endpoint are very low level and do not provide standardized WEB services per say, instead relying on. plain old SSL socket to transport application level messages (- against OAuth)

Hypothesis - "Does your app already manage user logins and authorization?" 
A - Not yet but eventually it must, and I'm considering Apache Shiro at the moment (- against OAuth)


So from my understanding, OAuth/OAuth2 is indeed overkill since I am already in need to provide an authentication for other components (the web app). Maybe I can just intercept the REST requests just like a login page would, and prepare my mobile clients to answear the challenges for refreshing their security tokens, or something like that

IP address: 84.91.197.21
Link to comment: http://redirect.disqus.com/url?url=http%3A%2F%2Fjboss.org%2Fjdf%2Fexamples%2Fticket-monster%2Ftutorial%2FBusinessLogic%2F%23comment-919594081%3AyBgP6Puc0g2fMdZa65touo2tz8c&impression=62701b66-cdcc-11e2-b681-003048de3832&type=notification.post.moderator&event=email&behavior=click

Vineet Reynolds wrote:

Unfortunately in the case of serialization and deserialization of object graphs to various formats, there is no standardized annotation available (yes, this can result in a mess if you're not careful). The format-agnostic way to do this is to have custom MessageBodyReaders/MessageBodyWriters but that tends to be an overkill in most scenarios; besides, it also requires knowledge of the internals of libraries like Jackson.

About OAuth/OAuth2, I'd suggest reading this: http://bill.burkecentral.com/2012/11/15/do-you-really-need-oauth2/. The summary of that post is that you wouldnt need OAuth, unless you need to allow other parties to perform operations on behalf of the identities registered in your identity store. If your users in the store perform operations and do not delegate them to other...

-----
Options: You can moderate through email. Respond in the body with "Delete". Reply with "Like" to like this comment, or respond with anything else to approve this comment and post your message as a reply comment.

Or use the moderate panel: http://jdf.disqus.com/admin/moderate/#/pending


Stop receiving notifications when new comments are posted:
http://disqus.com/account/#notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jdf-users/attachments/20130605/21f1cfb8/attachment-0001.html

More information about the jdf-users mailing list