abdera-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Gendron" <r...@arrova.ca>
Subject RE: Server authenticaion support
Date Wed, 02 Apr 2008 16:30:26 GMT
I was thinking more oauth but wrote OpenAuth. So, oauth it is. We are
developing our first SOA oriented Atom servers. Currently, a simple HTTP
digest auth would suffice. But soon enough, we will come up with
interactions between the servers themselves, not just between the client and
a server. As soon as we build an aggregation server or a more complex server
that uses the services provided by another server, I will need something
like oauth to propagate authentication.

In the case of your www.constantcontact.com, you secure the outside API with
HTTP digest. But behind your client API, do you access many systems? How do
you propagate the authentication to the sub-systems? Do you forgo
authentication once inside the firewall and just propagate the username to
at least do some history logging?

Thanks Jim for the insight on your implementation.

Remy

-----Original Message-----
From: Jim Ancona [mailto:jim@anconafamily.com] 
Sent: April 2, 2008 12:12
To: abdera-user@incubator.apache.org
Subject: Re: Server authenticaion support

Remy Gendron wrote:
> I'm looking at securing my Abdera server implementation. Do you have
> recommendations for the following?
> 
> 1) OpenAuth or WSSE? I am developing intra-corporate Atom services. These
> will not be exposed to the outside. Backed by a corporate LDAP.

Do you mean OpenAuth, the AOL auth API (http://dev.aol.com/openauth) or 
OAuth, the API auth protocol spec (http://oauth.net/)?  For intranet 
use, my guess is that Basic over SSL or HTTP Digest would be sufficient.

We are working on a REST API to enable integration with our web 
application (http://www.constantcontact.com/). We will probably support 
OAuth eventually, but for the time being we elected to use HTTP Digest.

> 2) Are there support libraries that would help in implementing this on the
> server side? Abdera already comes with auth extensions. How do I leverage
> these on the server side? Shouldn't security be orthogonal to the Atom
> stuff? I was thinking along the way of a servlet filter.

I think you're on the right track. I couldn't find an open source HTTP 
Digest implementation in Java other than Acegi (see below), so I wrote 
my own as a servlet filter. If anyone knows of one, or a good test 
suite, please let me know!

> 3) My server is heavily Spring. I will look up ACEGI.

We use Spring as well. I'm sure you know that Acegi is now Spring 
Security. It sounds like they're doing a lot of work to simplify the 
common use cases, but when I look at it, it seemed like more than I 
wanted to bite off at that time. Because my implementation is pretty 
much orthogonal to the rest of the server implementation, we can 
reconsider it later.

Hope this helps!

Jim


-- 
No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.22.4/1355 - Release Date: 01/04/2008
5:37 PM



Mime
View raw message