I am also -1 to that but not sure whether there is a solution if the point 1) is not fulfilling with the use of API manger APIs. Have to check this with API manager team. I just have proposed a work around by looking at AppFactory.
On Sat, May 31, 2014 at 12:52 AM, Chan <duli...@wso2.com> wrote: > -1 for keeping passwords in files. They are evil cause people will change > them from UI and behavior is unpredictable. Best is to authenticate with > the identity token we have to the APIM. I am not sure whether APIM supports > authenticating with SAML token? > > > On Fri, May 30, 2014 at 11:30 AM, Dilshan Edirisuriya <dils...@wso2.com> > wrote: > >> Hi, >> >> This is related to the API manager integration with EMM. To describe more >> on the usecase we are trying to protect some of the EMM APIs (for now only >> Android) using API manager. For this we have included the API manager >> features to EMM pack along with the publisher and API store Jaggery apps. >> >> We have discussed 2 approaches on this in Dev [1] other than the approach >> discussed in [2]. After discussing with Shan we are going ahead with the >> approach 1 which is discussed in thread [1]. Which is to have one consumer >> key and consumer secret for super tenant space and make it available for >> all other tenant. So at any time an EMM server instance will only contain >> one consumer key and a consumer secret. >> >> While progressing in the development I have faced some issues. Which >> needs to be clearly defined and addressed. >> >> Since above APIs are Android related these should be published and >> subscribed in advance. What I was asked to do is to automatically publish >> and subscribe APIs into the API manager. After disusing with Sumedha we >> thought of doing it using API manager REST api. >> >> In order to publish I went through the publisher APIs which appear in API >> manager doc[3]. This requires login to the system in advance. I looked in >> to the API manager code on this. As an example if you look at add publisher >> API at location publisher/site/blocks/item-add/ajax/add.jag this has a >> validation to check the current user (session.get("logged.user")). So it >> fails from this point. I see following issues on this. >> >> 1) API manager does not accept a SAML token hence we need to call the >> login url first to get a valid session in API publisher. Is there any way >> we can achieve this? >> >> 2) If we are to call the login API of API manager we should keep the >> username or password in some place like configuration file. I know >> AppFactory do this where they keep admin credentials in appfactory.xml for >> the purpose of WSRequests. Is it ok to follow something like this? >> >> 3) If we keep username and password in a configuration file it should be >> super admin credentials since we need to publish/subscribe using that >> account to be available for all other users. What if someone change the >> credentials from carbon console before logging into EMM? >> >> 4) Not sure whether there is Jaggery listeners for context initialization >> as in servlet spec (I know they have implemented listeners for session >> though). Otherwise have to publish/subscribe these at first time login >> which is bit non standard way of doing things. >> >> 5) Since we have one consumer key and secret if it is compromised how do >> we revoke it? How does mobile apps adhere to this change since it stores >> these in sandbox securely at the first time. I believe dynamic consumer >> key/secret generation minimize this issue and it affect only to minimal set >> of devices rather than all the devices in the system. >> >> Let me know your thoughts on these. >> >> >> [1] - [Dev]Securing the APIs on EMM in multi tenant environment >> [2] - [Dev]EMM OAuth Implementation - Android - Storing Consumer Secret >> [3] - https://docs.wso2.org/display/AM170/Publisher+APIs >> >> >> Regards, >> >> Dilshan >> >> -- >> Dilshan Edirisuriya >> Senior Software Engineer - WSO2 >> Mob: + 94 777878905 >> http://wso2.com/ >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Chan (Dulitha Wijewantha) > Software Engineer - Mobile Development > WSO2Mobile > Lean.Enterprise.Mobileware > * ~Email duli...@wso2.com <duli...@wso2mobile.com>* > * ~Mobile +94712112165 <%2B94712112165>* > * ~Website dulitha.me <http://dulitha.me>* > * ~Twitter @dulitharw <https://twitter.com/dulitharw>* > *~Github @dulichan <https://github.com/dulichan>* > *~SO @chan <http://stackoverflow.com/users/813471/chan>* > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Dilshan Edirisuriya Senior Software Engineer - WSO2 Mob: + 94 777878905 http://wso2.com/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture