Return-Path: Delivered-To: apmail-incubator-abdera-user-archive@locus.apache.org Received: (qmail 89699 invoked from network); 2 Apr 2008 16:12:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Apr 2008 16:12:10 -0000 Received: (qmail 21094 invoked by uid 500); 2 Apr 2008 16:12:10 -0000 Delivered-To: apmail-incubator-abdera-user-archive@incubator.apache.org Received: (qmail 21081 invoked by uid 500); 2 Apr 2008 16:12:10 -0000 Mailing-List: contact abdera-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: abdera-user@incubator.apache.org Delivered-To: mailing list abdera-user@incubator.apache.org Received: (qmail 21072 invoked by uid 99); 2 Apr 2008 16:12:09 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Apr 2008 09:12:09 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [66.111.4.28] (HELO out4.smtp.messagingengine.com) (66.111.4.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Apr 2008 16:11:17 +0000 Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id ED06EE4C11 for ; Wed, 2 Apr 2008 12:11:35 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Wed, 02 Apr 2008 12:11:36 -0400 X-Sasl-enc: CgLKhEAD5GFzaeUsyA9wHeVpAwGr4jmjRZ6wJRp3do7Z 1207152695 Received: from [10.10.2.18] (unknown [38.97.74.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id 74C7514110 for ; Wed, 2 Apr 2008 12:11:35 -0400 (EDT) Message-ID: <47F3B036.7040703@anconafamily.com> Date: Wed, 02 Apr 2008 12:11:34 -0400 From: Jim Ancona User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: abdera-user@incubator.apache.org Subject: Re: Server authenticaion support References: In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Remy Gendron wrote: > I�m looking at securing my Abdera server implementation. Do you have > recommendations for the following? > > 1) OpenAuth or WSSE? I am developing intra-corporate Atom services. These > will not be exposed to the outside. Backed by a corporate LDAP. Do you mean OpenAuth, the AOL auth API (http://dev.aol.com/openauth) or OAuth, the API auth protocol spec (http://oauth.net/)? For intranet use, my guess is that Basic over SSL or HTTP Digest would be sufficient. We are working on a REST API to enable integration with our web application (http://www.constantcontact.com/). We will probably support OAuth eventually, but for the time being we elected to use HTTP Digest. > 2) Are there support libraries that would help in implementing this on the > server side? Abdera already comes with auth extensions. How do I leverage > these on the server side? Shouldn�t security be orthogonal to the Atom > stuff? I was thinking along the way of a servlet filter. I think you're on the right track. I couldn't find an open source HTTP Digest implementation in Java other than Acegi (see below), so I wrote my own as a servlet filter. If anyone knows of one, or a good test suite, please let me know! > 3) My server is heavily Spring. I will look up ACEGI. We use Spring as well. I'm sure you know that Acegi is now Spring Security. It sounds like they're doing a lot of work to simplify the common use cases, but when I look at it, it seemed like more than I wanted to bite off at that time. Because my implementation is pretty much orthogonal to the rest of the server implementation, we can reconsider it later. Hope this helps! Jim