abdera-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Berry <chriswbe...@gmail.com>
Subject Re: Server authenticaion support
Date Wed, 02 Apr 2008 21:11:25 GMT
FWIW, we have an Atom server in production using Acegi. This is a nice  
alternative because security is applied orthogonally.

BUT, unless you are ready to use Acegi 2.0 (now Spring Security, and I  
think not yet released officially), then you will need some Acegi  
extensions I wrote to allow for HTTP Method-level authorization. The  
extensions are available in the Acegi JIRA. (I don't have the URL at  
my fingertips. But it is in the archives of abdera-user as well ;-)
Cheers,
-- Chris 

On Apr 2, 2008, at 11:45 AM, David Primmer wrote:

> On Wed, Apr 2, 2008 at 9:30 AM, Remy Gendron <remy@arrova.ca> wrote:
>> In the case of your www.constantcontact.com, you secure the outside  
>> API with
>> HTTP digest. But behind your client API, do you access many  
>> systems? How do
>> you propagate the authentication to the sub-systems? Do you forgo
>> authentication once inside the firewall and just propagate the  
>> username to
>> at least do some history logging?
>
> Because you're terminating the HTTP, you kinda have to repackage your
> attributes. It really depends on if you have untrusted intermediaries
> who you don't want to see the info. In that case, you need an opaque
> token that is unpacked at the ultimate destination.
>
>>
>> Thanks Jim for the insight on your implementation.
>>
>> Remy
>>
>>
>>
>> -----Original Message-----
>> From: Jim Ancona [mailto:jim@anconafamily.com]
>> Sent: April 2, 2008 12:12
>> To: abdera-user@incubator.apache.org
>> Subject: Re: Server authenticaion support
>>
>> Remy Gendron wrote:
>>> I'm looking at securing my Abdera server implementation. Do you have
>>> recommendations for the following?
>>>
>>> 1) OpenAuth or WSSE? I am developing intra-corporate Atom  
>>> services. These
>>> will not be exposed to the outside. Backed by a corporate LDAP.
>>
>> Do you mean OpenAuth, the AOL auth API (http://dev.aol.com/ 
>> openauth) or
>> OAuth, the API auth protocol spec (http://oauth.net/)?  For intranet
>> use, my guess is that Basic over SSL or HTTP Digest would be  
>> sufficient.
>>
>> We are working on a REST API to enable integration with our web
>> application (http://www.constantcontact.com/). We will probably  
>> support
>> OAuth eventually, but for the time being we elected to use HTTP  
>> Digest.
>>
>>> 2) Are there support libraries that would help in implementing  
>>> this on the
>>> server side? Abdera already comes with auth extensions. How do I  
>>> leverage
>>> these on the server side? Shouldn't security be orthogonal to the  
>>> Atom
>>> stuff? I was thinking along the way of a servlet filter.
>>
>> I think you're on the right track. I couldn't find an open source  
>> HTTP
>> Digest implementation in Java other than Acegi (see below), so I  
>> wrote
>> my own as a servlet filter. If anyone knows of one, or a good test
>> suite, please let me know!
>>
>>> 3) My server is heavily Spring. I will look up ACEGI.
>>
>> We use Spring as well. I'm sure you know that Acegi is now Spring
>> Security. It sounds like they're doing a lot of work to simplify the
>> common use cases, but when I look at it, it seemed like more than I
>> wanted to bite off at that time. Because my implementation is pretty
>> much orthogonal to the rest of the server implementation, we can
>> reconsider it later.
>>
>> Hope this helps!
>>
>> Jim
>>
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG.
>> Version: 7.5.519 / Virus Database: 269.22.4/1355 - Release Date:  
>> 01/04/2008
>> 5:37 PM
>>
>>
>>


Mime
View raw message