abdera-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Primmer" <david.prim...@gmail.com>
Subject Re: Server authenticaion support
Date Wed, 02 Apr 2008 16:45:38 GMT
On Wed, Apr 2, 2008 at 9:30 AM, Remy Gendron <remy@arrova.ca> wrote:
>  In the case of your www.constantcontact.com, you secure the outside API with
>  HTTP digest. But behind your client API, do you access many systems? How do
>  you propagate the authentication to the sub-systems? Do you forgo
>  authentication once inside the firewall and just propagate the username to
>  at least do some history logging?

Because you're terminating the HTTP, you kinda have to repackage your
attributes. It really depends on if you have untrusted intermediaries
who you don't want to see the info. In that case, you need an opaque
token that is unpacked at the ultimate destination.

>  Thanks Jim for the insight on your implementation.
>  Remy
>  -----Original Message-----
>  From: Jim Ancona [mailto:jim@anconafamily.com]
>  Sent: April 2, 2008 12:12
>  To: abdera-user@incubator.apache.org
>  Subject: Re: Server authenticaion support
>  Remy Gendron wrote:
>  > I'm looking at securing my Abdera server implementation. Do you have
>  > recommendations for the following?
>  >
>  > 1) OpenAuth or WSSE? I am developing intra-corporate Atom services. These
>  > will not be exposed to the outside. Backed by a corporate LDAP.
>  Do you mean OpenAuth, the AOL auth API (http://dev.aol.com/openauth) or
>  OAuth, the API auth protocol spec (http://oauth.net/)?  For intranet
>  use, my guess is that Basic over SSL or HTTP Digest would be sufficient.
>  We are working on a REST API to enable integration with our web
>  application (http://www.constantcontact.com/). We will probably support
>  OAuth eventually, but for the time being we elected to use HTTP Digest.
>  > 2) Are there support libraries that would help in implementing this on the
>  > server side? Abdera already comes with auth extensions. How do I leverage
>  > these on the server side? Shouldn't security be orthogonal to the Atom
>  > stuff? I was thinking along the way of a servlet filter.
>  I think you're on the right track. I couldn't find an open source HTTP
>  Digest implementation in Java other than Acegi (see below), so I wrote
>  my own as a servlet filter. If anyone knows of one, or a good test
>  suite, please let me know!
>  > 3) My server is heavily Spring. I will look up ACEGI.
>  We use Spring as well. I'm sure you know that Acegi is now Spring
>  Security. It sounds like they're doing a lot of work to simplify the
>  common use cases, but when I look at it, it seemed like more than I
>  wanted to bite off at that time. Because my implementation is pretty
>  much orthogonal to the rest of the server implementation, we can
>  reconsider it later.
>  Hope this helps!
>  Jim
>  --
>  No virus found in this incoming message.
>  Checked by AVG.
>  Version: 7.5.519 / Virus Database: 269.22.4/1355 - Release Date: 01/04/2008
>  5:37 PM

View raw message