[jira] [Created] (WOOKIE-279) Support signed API requests

Fri, 28 Oct 2011 03:02:56 -0700 

Support signed API requests
---------------------------

                 Key: WOOKIE-279
                 URL: https://issues.apache.org/jira/browse/WOOKIE-279
             Project: Wookie
          Issue Type: New Feature
          Components: Connection Framework, Server, Wookie REST API
            Reporter: Scott Wilson


The current REST API uses a very simple shared secret model for verifying 
messages from plugins/connectors, which is good for most cases but I think 
going forwards we need to support a more secure method.

My proposal for this is to use message signing based on oAuth, so that as well 
as an API Key, we also store an API Secret. The connector framework creates 
messages as normal, but will sign any messages sent to Wookie using the API 
Secret and a randomly generated Nonce. (i.e. messages will contain the API Key 
and Nonce, but not the API Secret)

Wookie can then authenticate the message by looking up the API Secret 
associated with the provided API Key, adding the Nonce, and verifying the 
message signature. 

This could be implemented using the standard net.oAuth package utilities rather 
than requiring a lot of new code; the main extensions would be:

- enhancements to the Connector Framework
- addition of a API_Secret property for the API Key class, and a Nonce cache 
(to prevent replay attacks)
- extension of WidgetKeyManager to generate and send the API Secret on 
registration of an API Key
- extension of WidgetKeyManager.isValidRequest() to check message signatures as 
well as validity of API Key

I would envisage this not being needed for the admin APIs, which is secured 
according to the servlet container configuration.

Its important that the details at the plugin end are handled by the connector 
framework rather than make plugin developers jump through more hoops - the only 
extra step should be having to paste in the API Secret when configuring a new 
plugin that uses the connection framework.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to