manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CONNECTORS-1177) Add authentication support for REST api
Date Mon, 30 Mar 2015 23:03:55 GMT
Karl Wright created CONNECTORS-1177:
---------------------------------------

             Summary: Add authentication support for REST api
                 Key: CONNECTORS-1177
                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1177
             Project: ManifoldCF
          Issue Type: Improvement
          Components: API
    Affects Versions: ManifoldCF 2.0.2, ManifoldCF 1.8.2
            Reporter: Karl Wright
            Assignee: Karl Wright
             Fix For: ManifoldCF 1.9, ManifoldCF 2.1


Best practices, as far as I can tell, are here:

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

{code}
RESTful web services should use session-based authentication, either by establishing a session
token via a POST or by using an API key as a POST body argument or as a cookie. Usernames,
passwords, session tokens, and API keys should not appear in the URL, as this can be captured
in web server logs, which makes them intrinsically valuable. 
{code}

There's nothing intrinsically wrong with using standard web application session management
as a means of managing sessions.  The only potential complication is the java session ID on
the URL -- but that can be disabled at the web application level.

The other complication is session expiration.  Sessions must eventually expire; we will need
to signal that by returning a 403 HTTP code should that occur.

In order to make this work, we need to add a LOGIN post request, whose job it is to establish
a session and verify credentials.  The credentials can be placed in the properties.xml file
for now, as is done for the web UI.  ALL requests to the API must verify the contents of the
credentials bean in order for this to work.  This can be done by simply coding the check at
the API's servlet implementation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message