Hi Ruchira,
Yes, I need recommendation on how to secure all the REST API endpoints.
Currently publisher app use both HTTP and HTTPS. Since, publisher should be
secured I think we need to disable serving pages/apis in HTTP. In that way
these REST endpoints also will be only HTTPS enabled as they are served in
'{context}/publisher/apis/*.
WDYT?
Roshan,
Thank you for your suggestions.
We don't maintain two REST APIs, this is the same REST API we use
internally in ES client side and we expose to external clients (third party
developers).
Thanks!
- Ayesha
On Wed, Oct 15, 2014 at 12:00 PM, Roshan Wijesena <[email protected]> wrote:
> Hi Ayesha,
>
> IMO,if you have an intention to expose your API to third party developers
> best way to secure is using oAuth2 where third party developer can generate
> his consumer id/secret and generate an API token and use that token to
> access APIs. Wso2APIM is using that protocol.If you wish can use wso2IS as
> a token-provider, but I believe in your case basic-oAuth [1] over SSL
> would be sufficient enough.
>
> And why we need two REST apis here? we can validate user directly in your
> CURD rest api?
>
> [1] http://tools.ietf.org/html/rfc2617
>
> On Wed, Oct 15, 2014 at 11:27 AM, Ruchira Wageesha <[email protected]>
> wrote:
>
>>
>>
>> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka <[email protected]>
>> wrote:
>>
>>> Hi all,
>>>
>>> I have implemented ES Publisher REST API in order to access and perform
>>> CRUD operations on ES -BackOffice.
>>>
>>> Each endpoint is authenticated by a valid Session-ID, passed to the
>>> endpoint in request header.
>>>
>>> In-order to obtain a session-ID we have implemented a separate
>>> authenticate REST endpoint. A user can send username and password in the
>>> POST request to this endpoint and if credentials are valid a session-id
>>> will be returned.
>>>
>>> Currently, no encryption or other (basic-aouth/aouth) authorization
>>> mechanism is yet implemented.
>>>
>>> What would be the lightweight and best way to secure this
>>> 'authentication' endpoint? Is there a particular wso2 way of doing this?
>>>
>> I assume you need to get a recommendation for securing all the REST APIs,
>> whether to use OAuth, Basic Auth etc. as you have secured it based on the
>> cookie, right??
>>
>> Anyway, in order to secure the auth endpoint, you will have to at least
>> use HTTPS.
>>
>>>
>>> Thanks!
>>> - Ayesha
>>>
>>> --
>>> *Ayesha Dissanayaka*
>>> Software Engineer,
>>> WSO2, Inc : http://wso2.com
>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>>> 20, Palmgrove Avenue, Colombo 3
>>> E-Mail: [email protected] <[email protected]>
>>>
>>
>>
>>
>> --
>>
>> *Ruchira Wageesha**Associate Technical Lead*
>> *WSO2 Inc. - lean . enterprise . middleware | wso2.com <http://wso2.com>*
>>
>> *email: [email protected] <[email protected]>, blog:
>> ruchirawageesha.blogspot.com <http://ruchirawageesha.blogspot.com>,
>> mobile: +94 77 5493444 <%2B94%2077%205493444>*
>>
>> _______________________________________________
>> Architecture mailing list
>> [email protected]
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Roshan Wijesena.
> Senior Software Engineer-WSO2 Inc.
> Mobile: *+94752126789*
> Email: [email protected]
> *WSO2, Inc. :** wso2.com <http://wso2.com/>*
> lean.enterprise.middleware.
>
--
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com
<http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
20, Palmgrove Avenue, Colombo 3
E-Mail: [email protected] <[email protected]>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
