abdera-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Primmer" <david.prim...@gmail.com>
Subject Re: Server authenticaion support
Date Wed, 02 Apr 2008 16:29:44 GMT
On Wed, Apr 2, 2008 at 7:51 AM, Remy Gendron <remy@arrova.ca> wrote:
> Hello all,
>
>
>
>  I'm looking at securing my Abdera server implementation. Do you have
>  recommendations for the following?
>
>
>
>  1) OpenAuth or WSSE? I am developing intra-corporate Atom services. These
>  will not be exposed to the outside. Backed by a corporate LDAP.

I'm assuming you mean OAuth here. I'd recommend OAuth in this case.
Don't be distracted by the scenarios featured in the OAuth docs that
deal mostly with what is called 3-legged auth that has a person with a
browser doing the delegation to another application. You can also use
OAuth in a 2-legged server-to-server mode and in this case, it's very
similar to Digest auth but uses a different signing mechanism. It's
still a young standard but it is 'mature' in the sense that is is
codifying a widely used best practice. The shindig project is doing a
lot of work to drive the use of OAuth forward

>
>  2) Are there support libraries that would help in implementing this on the
>  server side? Abdera already comes with auth extensions. How do I leverage
>  these on the server side? Shouldn't security be orthogonal to the Atom
>  stuff? I was thinking along the way of a servlet filter.

It depends on how automated you want the whole thing to be. It's
fairly little effort to check signatures and read headers, to do the
work of securing the request and the samples on the OAuth site show
this. But they don't do much for you when you need to
distribute/rotate keys or discover on the fly how to auth. If you have
a single connection you set this up once and it's not much work. If
you have thousands or millions of endpoints, it's more of a problem.
That's what Shindig needs to solve.

Mime
View raw message