manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CONNECTORS-1177) Add authentication support for REST api
Date Wed, 01 Apr 2015 11:03:52 GMT

    [ https://issues.apache.org/jira/browse/CONNECTORS-1177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14390386#comment-14390386
] 

Karl Wright commented on CONNECTORS-1177:
-----------------------------------------

r1670614 (trunk)


> Add authentication support for REST api
> ---------------------------------------
>
>                 Key: CONNECTORS-1177
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1177
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: API
>    Affects Versions: ManifoldCF 1.8.2, ManifoldCF 2.0.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: ManifoldCF 1.9, ManifoldCF 2.1
>
>
> Best practices, as far as I can tell, are here:
> https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
> {code}
> RESTful web services should use session-based authentication, either by establishing
a session token via a POST or by using an API key as a POST body argument or as a cookie.
Usernames, passwords, session tokens, and API keys should not appear in the URL, as this can
be captured in web server logs, which makes them intrinsically valuable. 
> {code}
> There's nothing intrinsically wrong with using standard web application session management
as a means of managing sessions.  The only potential complication is the java session ID on
the URL -- but that can be disabled at the web application level.
> The other complication is session expiration.  Sessions must eventually expire; we will
need to signal that by returning a 403 HTTP code should that occur.
> In order to make this work, we need to add a LOGIN post request, whose job it is to establish
a session and verify credentials.  The credentials can be placed in the properties.xml file
for now, as is done for the web UI.  ALL requests to the API must verify the contents of the
credentials bean in order for this to work.  This can be done by simply coding the check at
the API's servlet implementation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message