manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CONNECTORS-1177) Add authentication support for REST api
Date Tue, 31 Mar 2015 11:06:52 GMT

    [ https://issues.apache.org/jira/browse/CONNECTORS-1177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14388374#comment-14388374
] 

Karl Wright commented on CONNECTORS-1177:
-----------------------------------------

The branch has code committed.  The code should accept a LOGIN command as a POST, with userID
and password arguments.  Username and password for the API are defined in the properties file;
the default values for these are both empty string, which happens to correspond to the default
login which takes place when a session is just defined.

Still needed:
(1) A test
(2) Revisions to the script engine to handle login
(3) Documentation updates


> Add authentication support for REST api
> ---------------------------------------
>
>                 Key: CONNECTORS-1177
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1177
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: API
>    Affects Versions: ManifoldCF 1.8.2, ManifoldCF 2.0.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: ManifoldCF 1.9, ManifoldCF 2.1
>
>
> Best practices, as far as I can tell, are here:
> https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
> {code}
> RESTful web services should use session-based authentication, either by establishing
a session token via a POST or by using an API key as a POST body argument or as a cookie.
Usernames, passwords, session tokens, and API keys should not appear in the URL, as this can
be captured in web server logs, which makes them intrinsically valuable. 
> {code}
> There's nothing intrinsically wrong with using standard web application session management
as a means of managing sessions.  The only potential complication is the java session ID on
the URL -- but that can be disabled at the web application level.
> The other complication is session expiration.  Sessions must eventually expire; we will
need to signal that by returning a 403 HTTP code should that occur.
> In order to make this work, we need to add a LOGIN post request, whose job it is to establish
a session and verify credentials.  The credentials can be placed in the properties.xml file
for now, as is done for the web UI.  ALL requests to the API must verify the contents of the
credentials bean in order for this to work.  This can be done by simply coding the check at
the API's servlet implementation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message