[jira] [Commented] (WOOKIE-279) Support signed API requests

[Scott Wilson (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WOOKIE-279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13240770#comment-13240770
 ] 

Scott Wilson commented on WOOKIE-279:
-------------------------------------

See also Tien's proposal for oAuth 2.0 MAC auth:

http://mail-archives.apache.org/mod_mbox/incubator-wookie-dev/201203.mbox/%3cda1b0d6e-e014-494c-a907-f7fc1bf7f...@fundp.ac.be%3E
                
> Support signed API requests
> ---------------------------
>
>                 Key: WOOKIE-279
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-279
>             Project: Wookie
>          Issue Type: New Feature
>          Components: Connection Framework, Server, Wookie REST API
>            Reporter: Scott Wilson
>         Attachments: HttpRequestMessage.java, OAuthAuthorizationFilter.java
>
>
> The current REST API uses a very simple shared secret model for verifying 
> messages from plugins/connectors, which is good for most cases but I think 
> going forwards we need to support a more secure method.
> My proposal for this is to use message signing based on oAuth, so that as 
> well as an API Key, we also store an API Secret. The connector framework 
> creates messages as normal, but will sign any messages sent to Wookie using 
> the API Secret and a randomly generated Nonce. (i.e. messages will contain 
> the API Key and Nonce, but not the API Secret)
> Wookie can then authenticate the message by looking up the API Secret 
> associated with the provided API Key, adding the Nonce, and verifying the 
> message signature. 
> This could be implemented using the standard net.oAuth package utilities 
> rather than requiring a lot of new code; the main extensions would be:
> - enhancements to the Connector Framework
> - addition of a API_Secret property for the API Key class, and a Nonce cache 
> (to prevent replay attacks)
> - extension of WidgetKeyManager to generate and send the API Secret on 
> registration of an API Key
> - extension of WidgetKeyManager.isValidRequest() to check message signatures 
> as well as validity of API Key
> I would envisage this not being needed for the admin APIs, which is secured 
> according to the servlet container configuration.
> Its important that the details at the plugin end are handled by the connector 
> framework rather than make plugin developers jump through more hoops - the 
> only extra step should be having to paste in the API Secret when configuring 
> a new plugin that uses the connection framework.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira