abdera-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Ancona <...@anconafamily.com>
Subject Re: Server authenticaion support
Date Wed, 02 Apr 2008 16:11:34 GMT
Remy Gendron wrote:
> I’m looking at securing my Abdera server implementation. Do you have
> recommendations for the following?
> 1) OpenAuth or WSSE? I am developing intra-corporate Atom services. These
> will not be exposed to the outside. Backed by a corporate LDAP.

Do you mean OpenAuth, the AOL auth API (http://dev.aol.com/openauth) or 
OAuth, the API auth protocol spec (http://oauth.net/)?  For intranet 
use, my guess is that Basic over SSL or HTTP Digest would be sufficient.

We are working on a REST API to enable integration with our web 
application (http://www.constantcontact.com/). We will probably support 
OAuth eventually, but for the time being we elected to use HTTP Digest.

> 2) Are there support libraries that would help in implementing this on the
> server side? Abdera already comes with auth extensions. How do I leverage
> these on the server side? Shouldn’t security be orthogonal to the Atom
> stuff? I was thinking along the way of a servlet filter.

I think you're on the right track. I couldn't find an open source HTTP 
Digest implementation in Java other than Acegi (see below), so I wrote 
my own as a servlet filter. If anyone knows of one, or a good test 
suite, please let me know!

> 3) My server is heavily Spring. I will look up ACEGI.

We use Spring as well. I'm sure you know that Acegi is now Spring 
Security. It sounds like they're doing a lot of work to simplify the 
common use cases, but when I look at it, it seemed like more than I 
wanted to bite off at that time. Because my implementation is pretty 
much orthogonal to the rest of the server implementation, we can 
reconsider it later.

Hope this helps!


View raw message