> Another question I have on the BackOffice API is - whether this is the > same API used by the Publisher App itself?
yeap On Fri, Oct 17, 2014 at 4:09 PM, Chan <[email protected]> wrote: > I believe this is a perfect example for API Everywhere concept. In EMM - > some APIs are exposed to the devices with this concept. Basically a tomcat > valve validates the security tokens - the security protocol used here is > OAuth. > > Another question I have on the BackOffice API is - whether this is the > same API used by the Publisher App itself? > > Cheers~ > > On Fri, Oct 17, 2014 at 11:28 AM, Danushka Fernando <[email protected]> > wrote: > >> IMO storing username and password is not the recommended way. So +1 for >> oauth security. May be we can have both oauth and basic auth if needed. But >> if these endpoints are for third party developers who will write some >> client code using it I think oauth is the best way. >> >> Thanks & Regards >> Danushka Fernando >> Software Engineer >> WSO2 inc. http://wso2.com/ >> Mobile : +94716332729 >> >> On Fri, Oct 17, 2014 at 10:17 AM, Dulanja Liyanage <[email protected]> >> wrote: >> >>> Hi, >>> >>> The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM >>> endpoint is one example. >>> >>> If BasicAuth used, client side might have to store the >>> username/password. >>> >>> If OAuth used, and the API is accessed via a browser, user can be >>> redirected to the authorization Server to get authenticated, which removes >>> the risk of having user credentials at client side. >>> >>> In either way, SSL should be used to avoid Man-in-the-middle attacks >>> >>> Hope this helps. >>> >>> Thanks >>> Dulanja >>> >>> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> I have implemented ES Publisher REST API in order to access and perform >>>> CRUD operations on ES -BackOffice. >>>> >>>> Each endpoint is authenticated by a valid Session-ID, passed to the >>>> endpoint in request header. >>>> >>>> In-order to obtain a session-ID we have implemented a separate >>>> authenticate REST endpoint. A user can send username and password in the >>>> POST request to this endpoint and if credentials are valid a session-id >>>> will be returned. >>>> >>>> Currently, no encryption or other (basic-aouth/aouth) authorization >>>> mechanism is yet implemented. >>>> >>>> What would be the lightweight and best way to secure this >>>> 'authentication' endpoint? Is there a particular wso2 way of doing this? >>>> >>>> Thanks! >>>> - Ayesha >>>> >>>> -- >>>> *Ayesha Dissanayaka* >>>> Software Engineer, >>>> WSO2, Inc : http://wso2.com >>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>> 20, Palmgrove Avenue, Colombo 3 >>>> E-Mail: [email protected] <[email protected]> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Dulanja Liyanage >>> WSO2 Inc. >>> M: +94776764717 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Chan (Dulitha Wijewantha) > Software Engineer - Mobile Development > WSO2 Inc > Lean.Enterprise.Mobileware > * ~Email [email protected] <[email protected]>* > * ~Mobile +94712112165 <%2B94712112165>* > * ~Website dulitha.me <http://dulitha.me>* > * ~Twitter @dulitharw <https://twitter.com/dulitharw>* > *~Github @dulichan <https://github.com/dulichan>* > *~SO @chan <http://stackoverflow.com/users/813471/chan>* > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Sameera Medagammaddegedara Software Engineer Contact: Email: [email protected] Mobile: + 94 077 255 3005
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
