[
https://issues.apache.org/jira/browse/WOOKIE-279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13144881#comment-13144881
]
Scott Wilson commented on WOOKIE-279:
-------------------------------------
I've experimented with this and it works quite nicely - I created a JQuery
plugin that can send oAuth-signed requests using regular $.ajax syntax, and
refactored authz into a servlet filter class.
It turns out that it makes even more sense to use this approach for the admin
APIs too, as we then don't have the issue of HTTP BASIC Authorization headers
being passed around in the wookie origin and shared with widgets.
> Support signed API requests
> ---------------------------
>
> Key: WOOKIE-279
> URL: https://issues.apache.org/jira/browse/WOOKIE-279
> Project: Wookie
> Issue Type: New Feature
> Components: Connection Framework, Server, Wookie REST API
> Reporter: Scott Wilson
>
> The current REST API uses a very simple shared secret model for verifying
> messages from plugins/connectors, which is good for most cases but I think
> going forwards we need to support a more secure method.
> My proposal for this is to use message signing based on oAuth, so that as
> well as an API Key, we also store an API Secret. The connector framework
> creates messages as normal, but will sign any messages sent to Wookie using
> the API Secret and a randomly generated Nonce. (i.e. messages will contain
> the API Key and Nonce, but not the API Secret)
> Wookie can then authenticate the message by looking up the API Secret
> associated with the provided API Key, adding the Nonce, and verifying the
> message signature.
> This could be implemented using the standard net.oAuth package utilities
> rather than requiring a lot of new code; the main extensions would be:
> - enhancements to the Connector Framework
> - addition of a API_Secret property for the API Key class, and a Nonce cache
> (to prevent replay attacks)
> - extension of WidgetKeyManager to generate and send the API Secret on
> registration of an API Key
> - extension of WidgetKeyManager.isValidRequest() to check message signatures
> as well as validity of API Key
> I would envisage this not being needed for the admin APIs, which is secured
> according to the servlet container configuration.
> Its important that the details at the plugin end are handled by the connector
> framework rather than make plugin developers jump through more hoops - the
> only extra step should be having to paste in the API Secret when configuring
> a new plugin that uses the connection framework.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
