I believe this is a perfect example for API Everywhere concept. In EMM - some APIs are exposed to the devices with this concept. Basically a tomcat valve validates the security tokens - the security protocol used here is OAuth.
Another question I have on the BackOffice API is - whether this is the same API used by the Publisher App itself? Cheers~ On Fri, Oct 17, 2014 at 11:28 AM, Danushka Fernando <danush...@wso2.com> wrote: > IMO storing username and password is not the recommended way. So +1 for > oauth security. May be we can have both oauth and basic auth if needed. But > if these endpoints are for third party developers who will write some > client code using it I think oauth is the best way. > > Thanks & Regards > Danushka Fernando > Software Engineer > WSO2 inc. http://wso2.com/ > Mobile : +94716332729 > > On Fri, Oct 17, 2014 at 10:17 AM, Dulanja Liyanage <dula...@wso2.com> > wrote: > >> Hi, >> >> The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM >> endpoint is one example. >> >> If BasicAuth used, client side might have to store the username/password. >> >> If OAuth used, and the API is accessed via a browser, user can be >> redirected to the authorization Server to get authenticated, which removes >> the risk of having user credentials at client side. >> >> In either way, SSL should be used to avoid Man-in-the-middle attacks >> >> Hope this helps. >> >> Thanks >> Dulanja >> >> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka <aye...@wso2.com> >> wrote: >> >>> Hi all, >>> >>> I have implemented ES Publisher REST API in order to access and perform >>> CRUD operations on ES -BackOffice. >>> >>> Each endpoint is authenticated by a valid Session-ID, passed to the >>> endpoint in request header. >>> >>> In-order to obtain a session-ID we have implemented a separate >>> authenticate REST endpoint. A user can send username and password in the >>> POST request to this endpoint and if credentials are valid a session-id >>> will be returned. >>> >>> Currently, no encryption or other (basic-aouth/aouth) authorization >>> mechanism is yet implemented. >>> >>> What would be the lightweight and best way to secure this >>> 'authentication' endpoint? Is there a particular wso2 way of doing this? >>> >>> Thanks! >>> - Ayesha >>> >>> -- >>> *Ayesha Dissanayaka* >>> Software Engineer, >>> WSO2, Inc : http://wso2.com >>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>> 20, Palmgrove Avenue, Colombo 3 >>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Dulanja Liyanage >> WSO2 Inc. >> M: +94776764717 >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Chan (Dulitha Wijewantha) Software Engineer - Mobile Development WSO2 Inc Lean.Enterprise.Mobileware * ~Email duli...@wso2.com <duli...@wso2mobile.com>* * ~Mobile +94712112165* * ~Website dulitha.me <http://dulitha.me>* * ~Twitter @dulitharw <https://twitter.com/dulitharw>* *~Github @dulichan <https://github.com/dulichan>* *~SO @chan <http://stackoverflow.com/users/813471/chan>*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture