-1 for keeping passwords in files. They are evil cause people will change them from UI and behavior is unpredictable. Best is to authenticate with the identity token we have to the APIM. I am not sure whether APIM supports authenticating with SAML token?
On Fri, May 30, 2014 at 11:30 AM, Dilshan Edirisuriya <[email protected]> wrote: > Hi, > > This is related to the API manager integration with EMM. To describe more > on the usecase we are trying to protect some of the EMM APIs (for now only > Android) using API manager. For this we have included the API manager > features to EMM pack along with the publisher and API store Jaggery apps. > > We have discussed 2 approaches on this in Dev [1] other than the approach > discussed in [2]. After discussing with Shan we are going ahead with the > approach 1 which is discussed in thread [1]. Which is to have one consumer > key and consumer secret for super tenant space and make it available for > all other tenant. So at any time an EMM server instance will only contain > one consumer key and a consumer secret. > > While progressing in the development I have faced some issues. Which needs > to be clearly defined and addressed. > > Since above APIs are Android related these should be published and > subscribed in advance. What I was asked to do is to automatically publish > and subscribe APIs into the API manager. After disusing with Sumedha we > thought of doing it using API manager REST api. > > In order to publish I went through the publisher APIs which appear in API > manager doc[3]. This requires login to the system in advance. I looked in > to the API manager code on this. As an example if you look at add publisher > API at location publisher/site/blocks/item-add/ajax/add.jag this has a > validation to check the current user (session.get("logged.user")). So it > fails from this point. I see following issues on this. > > 1) API manager does not accept a SAML token hence we need to call the > login url first to get a valid session in API publisher. Is there any way > we can achieve this? > > 2) If we are to call the login API of API manager we should keep the > username or password in some place like configuration file. I know > AppFactory do this where they keep admin credentials in appfactory.xml for > the purpose of WSRequests. Is it ok to follow something like this? > > 3) If we keep username and password in a configuration file it should be > super admin credentials since we need to publish/subscribe using that > account to be available for all other users. What if someone change the > credentials from carbon console before logging into EMM? > > 4) Not sure whether there is Jaggery listeners for context initialization > as in servlet spec (I know they have implemented listeners for session > though). Otherwise have to publish/subscribe these at first time login > which is bit non standard way of doing things. > > 5) Since we have one consumer key and secret if it is compromised how do > we revoke it? How does mobile apps adhere to this change since it stores > these in sandbox securely at the first time. I believe dynamic consumer > key/secret generation minimize this issue and it affect only to minimal set > of devices rather than all the devices in the system. > > Let me know your thoughts on these. > > > [1] - [Dev]Securing the APIs on EMM in multi tenant environment > [2] - [Dev]EMM OAuth Implementation - Android - Storing Consumer Secret > [3] - https://docs.wso2.org/display/AM170/Publisher+APIs > > > Regards, > > Dilshan > > -- > Dilshan Edirisuriya > Senior Software Engineer - WSO2 > Mob: + 94 777878905 > http://wso2.com/ > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Chan (Dulitha Wijewantha) Software Engineer - Mobile Development WSO2Mobile Lean.Enterprise.Mobileware * ~Email [email protected] <[email protected]>* * ~Mobile +94712112165* * ~Website dulitha.me <http://dulitha.me>* * ~Twitter @dulitharw <https://twitter.com/dulitharw>* *~Github @dulichan <https://github.com/dulichan>* *~SO @chan <http://stackoverflow.com/users/813471/chan>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
