I believe this is a perfect example for API Everywhere concept. In EMM - some APIs are exposed to the devices with this concept. Basically a tomcat valve validates the security tokens - the security protocol used here is OAuth.
Another question I have on the BackOffice API is - whether this is the same API used by the Publisher App itself? Cheers~ On Fri, Oct 17, 2014 at 11:28 AM, Danushka Fernando <[email protected]> wrote: > IMO storing username and password is not the recommended way. So +1 for > oauth security. May be we can have both oauth and basic auth if needed. But > if these endpoints are for third party developers who will write some > client code using it I think oauth is the best way. > > Thanks & Regards > Danushka Fernando > Software Engineer > WSO2 inc. http://wso2.com/ > Mobile : +94716332729 > > On Fri, Oct 17, 2014 at 10:17 AM, Dulanja Liyanage <[email protected]> > wrote: > >> Hi, >> >> The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM >> endpoint is one example. >> >> If BasicAuth used, client side might have to store the username/password. >> >> If OAuth used, and the API is accessed via a browser, user can be >> redirected to the authorization Server to get authenticated, which removes >> the risk of having user credentials at client side. >> >> In either way, SSL should be used to avoid Man-in-the-middle attacks >> >> Hope this helps. >> >> Thanks >> Dulanja >> >> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka <[email protected]> >> wrote: >> >>> Hi all, >>> >>> I have implemented ES Publisher REST API in order to access and perform >>> CRUD operations on ES -BackOffice. >>> >>> Each endpoint is authenticated by a valid Session-ID, passed to the >>> endpoint in request header. >>> >>> In-order to obtain a session-ID we have implemented a separate >>> authenticate REST endpoint. A user can send username and password in the >>> POST request to this endpoint and if credentials are valid a session-id >>> will be returned. >>> >>> Currently, no encryption or other (basic-aouth/aouth) authorization >>> mechanism is yet implemented. >>> >>> What would be the lightweight and best way to secure this >>> 'authentication' endpoint? Is there a particular wso2 way of doing this? >>> >>> Thanks! >>> - Ayesha >>> >>> -- >>> *Ayesha Dissanayaka* >>> Software Engineer, >>> WSO2, Inc : http://wso2.com >>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>> 20, Palmgrove Avenue, Colombo 3 >>> E-Mail: [email protected] <[email protected]> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Dulanja Liyanage >> WSO2 Inc. >> M: +94776764717 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Chan (Dulitha Wijewantha) Software Engineer - Mobile Development WSO2 Inc Lean.Enterprise.Mobileware * ~Email [email protected] <[email protected]>* * ~Mobile +94712112165* * ~Website dulitha.me <http://dulitha.me>* * ~Twitter @dulitharw <https://twitter.com/dulitharw>* *~Github @dulichan <https://github.com/dulichan>* *~SO @chan <http://stackoverflow.com/users/813471/chan>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
