subject:"\[Architecture\] \[BAM\] \[Security\] Securing REST API"

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-04 Thread Anjana Fernando

On Wed, Feb 4, 2015 at 5:15 AM, Prabath Siriwardena 
wrote:

> If you say Basic Auth is easy - then there is no difference in using OAuth
> too:-)
>
> Basically the resource owner credentials grant type was introduced in
> OAuth to migrate clients from Basic/Digest authentication into OAuth...
>
> By looking at the use case - its clearly something to do with the access
> delegation. One server needs to access a resource (API) on behalf another
> user.. it clearly something to do with OAuth.
>

Yes, that's true :) .. guess the simple username/password scenario also can
be covered with OAuth, if the requirement comes.

Cheers,
Anjana.


>
> Thanks & regards,
> -Prabath
>
>
> On Tue, Feb 3, 2015 at 3:21 AM, Anjana Fernando  wrote:
>
>> Yes, I guess, we should anyway give the ability for users to use the API
>> with something simple like basic auth (if it makes sense for a specific
>> scenario), and then also support something like OAuth for other scenarios,
>> like here, we are talking about, internally using it from our dashboards
>> etc.. for accessing the backend APIs.
>>
>> Cheers,
>> Anjana.
>>
>> On Tue, Feb 3, 2015 at 4:44 PM, Isabelle Mauny  wrote:
>>
>>> All,
>>>
>>> Who is going to use those REST APIs ? And from where ? While I agree
>>> with all the discussion about making the APIs secure, it's kind of
>>> pointless without a usage context.
>>> Generating/managing an OAuth token is not easy from the client side, if
>>> the REST APIs are used from a script for example, OAuth might not be
>>> optimal. Would the APIs be exposed externally for any reason ( to the
>>> general public ? ) - We had that problem with G-Reg before, with users
>>> incapable to integrate with G.REG due to the requirement of an OAuth token.
>>> Shouldn't we leave people a choice ?
>>>
>>> Isabelle.
>>> __
>>>
>>>
>>> *Isabelle Mauny*VP, Product Management; WSO2, Inc.;  http://wso2.com/
>>>
>>> On Feb 3, 2015, at 11:53 AM, Manuranga Perera  wrote:
>>>
>>> Hi Johann,
>>> so if a user is logged is using SAML, is there a way we call a OAuth2
>>> API form the front end js (via REST) directly without going through a proxy?
>>>
>>> On Tue, Feb 3, 2015 at 11:22 PM, Johann Nallathamby 
>>> wrote:
>>>
 The discussion is about how to secure APIs, and OAuth2 is the popular
 choice here.

 How to do SSO to the web front end is a separate question and OpenID
 Connect can be one possibility. Like others have mentioned in this thread
 above, there can be other ways to login to the web front end, e.g. SAML2
 SSO, username/password, etc. Depending on the login mechanism there are
 other grant types you may be able to use to secure APIs using OAuth2 such
 as SAML2 Bearer, Resource Owner Password, self-issued tokens, etc.

 OpenID Connect might be the ideal choice, but right now the limitation
 we have with OpenID Connect is that we don't support the session management
 protocol which is required for single logout.

 On Tue, Feb 3, 2015 at 5:18 AM, Manuranga Perera  wrote:

> Hi Johann,
>
> As I understand (form Dulanja) we need OpenID Connect [1] to fully
> integrate with web front-end. so we can keep the token in fount end (in 
> JS)
> and do the call using REST. isn't that the way to go?
>
> [1] http://openid.net/connect/
>



 --
 Thanks & Regards,

 *Johann Dilantha Nallathamby*
 Associate Technical Lead & Product Lead of WSO2 Identity Server
 Integration Technologies Team
 WSO2, Inc.
 lean.enterprise.middleware

 Mobile - *+9476950*
 Blog - *http://nallaa.wordpress.com *

>>>
>>>
>>>
>>> --
>>> With regards,
>>> *Manu*ranga Perera.
>>>
>>> phone : 071 7 70 20 50
>>> mail : m...@wso2.com
>>>  ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> *Anjana Fernando*
>> Senior Technical Lead
>> WSO2 Inc. | http://wso2.com
>> lean . enterprise . middleware
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950
>
> http://blog.facilelogin.com
> http://blog.api-security.org
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
*Anjana Fernando*
Senior Technical Lead
WSO2 Inc. | http://wso2.com
lean . enterp

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-03 Thread Prabath Siriwardena

If you say Basic Auth is easy - then there is no difference in using OAuth
too:-)

Basically the resource owner credentials grant type was introduced in OAuth
to migrate clients from Basic/Digest authentication into OAuth...

By looking at the use case - its clearly something to do with the access
delegation. One server needs to access a resource (API) on behalf another
user.. it clearly something to do with OAuth.

Thanks & regards,
-Prabath


On Tue, Feb 3, 2015 at 3:21 AM, Anjana Fernando  wrote:

> Yes, I guess, we should anyway give the ability for users to use the API
> with something simple like basic auth (if it makes sense for a specific
> scenario), and then also support something like OAuth for other scenarios,
> like here, we are talking about, internally using it from our dashboards
> etc.. for accessing the backend APIs.
>
> Cheers,
> Anjana.
>
> On Tue, Feb 3, 2015 at 4:44 PM, Isabelle Mauny  wrote:
>
>> All,
>>
>> Who is going to use those REST APIs ? And from where ? While I agree with
>> all the discussion about making the APIs secure, it's kind of pointless
>> without a usage context.
>> Generating/managing an OAuth token is not easy from the client side, if
>> the REST APIs are used from a script for example, OAuth might not be
>> optimal. Would the APIs be exposed externally for any reason ( to the
>> general public ? ) - We had that problem with G-Reg before, with users
>> incapable to integrate with G.REG due to the requirement of an OAuth token.
>> Shouldn't we leave people a choice ?
>>
>> Isabelle.
>> __
>>
>>
>> *Isabelle Mauny*VP, Product Management; WSO2, Inc.;  http://wso2.com/
>>
>> On Feb 3, 2015, at 11:53 AM, Manuranga Perera  wrote:
>>
>> Hi Johann,
>> so if a user is logged is using SAML, is there a way we call a OAuth2 API
>> form the front end js (via REST) directly without going through a proxy?
>>
>> On Tue, Feb 3, 2015 at 11:22 PM, Johann Nallathamby 
>> wrote:
>>
>>> The discussion is about how to secure APIs, and OAuth2 is the popular
>>> choice here.
>>>
>>> How to do SSO to the web front end is a separate question and OpenID
>>> Connect can be one possibility. Like others have mentioned in this thread
>>> above, there can be other ways to login to the web front end, e.g. SAML2
>>> SSO, username/password, etc. Depending on the login mechanism there are
>>> other grant types you may be able to use to secure APIs using OAuth2 such
>>> as SAML2 Bearer, Resource Owner Password, self-issued tokens, etc.
>>>
>>> OpenID Connect might be the ideal choice, but right now the limitation
>>> we have with OpenID Connect is that we don't support the session management
>>> protocol which is required for single logout.
>>>
>>> On Tue, Feb 3, 2015 at 5:18 AM, Manuranga Perera  wrote:
>>>
 Hi Johann,

 As I understand (form Dulanja) we need OpenID Connect [1] to fully
 integrate with web front-end. so we can keep the token in fount end (in JS)
 and do the call using REST. isn't that the way to go?

 [1] http://openid.net/connect/

>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Johann Dilantha Nallathamby*
>>> Associate Technical Lead & Product Lead of WSO2 Identity Server
>>> Integration Technologies Team
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - *+9476950*
>>> Blog - *http://nallaa.wordpress.com *
>>>
>>
>>
>>
>> --
>> With regards,
>> *Manu*ranga Perera.
>>
>> phone : 071 7 70 20 50
>> mail : m...@wso2.com
>>  ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Anjana Fernando*
> Senior Technical Lead
> WSO2 Inc. | http://wso2.com
> lean . enterprise . middleware
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +1 650 625 7950

http://blog.facilelogin.com
http://blog.api-security.org
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-03 Thread Anjana Fernando

Yes, I guess, we should anyway give the ability for users to use the API
with something simple like basic auth (if it makes sense for a specific
scenario), and then also support something like OAuth for other scenarios,
like here, we are talking about, internally using it from our dashboards
etc.. for accessing the backend APIs.

Cheers,
Anjana.

On Tue, Feb 3, 2015 at 4:44 PM, Isabelle Mauny  wrote:

> All,
>
> Who is going to use those REST APIs ? And from where ? While I agree with
> all the discussion about making the APIs secure, it's kind of pointless
> without a usage context.
> Generating/managing an OAuth token is not easy from the client side, if
> the REST APIs are used from a script for example, OAuth might not be
> optimal. Would the APIs be exposed externally for any reason ( to the
> general public ? ) - We had that problem with G-Reg before, with users
> incapable to integrate with G.REG due to the requirement of an OAuth token.
> Shouldn't we leave people a choice ?
>
> Isabelle.
> __
>
>
> *Isabelle Mauny*VP, Product Management; WSO2, Inc.;  http://wso2.com/
>
> On Feb 3, 2015, at 11:53 AM, Manuranga Perera  wrote:
>
> Hi Johann,
> so if a user is logged is using SAML, is there a way we call a OAuth2 API
> form the front end js (via REST) directly without going through a proxy?
>
> On Tue, Feb 3, 2015 at 11:22 PM, Johann Nallathamby 
> wrote:
>
>> The discussion is about how to secure APIs, and OAuth2 is the popular
>> choice here.
>>
>> How to do SSO to the web front end is a separate question and OpenID
>> Connect can be one possibility. Like others have mentioned in this thread
>> above, there can be other ways to login to the web front end, e.g. SAML2
>> SSO, username/password, etc. Depending on the login mechanism there are
>> other grant types you may be able to use to secure APIs using OAuth2 such
>> as SAML2 Bearer, Resource Owner Password, self-issued tokens, etc.
>>
>> OpenID Connect might be the ideal choice, but right now the limitation we
>> have with OpenID Connect is that we don't support the session management
>> protocol which is required for single logout.
>>
>> On Tue, Feb 3, 2015 at 5:18 AM, Manuranga Perera  wrote:
>>
>>> Hi Johann,
>>>
>>> As I understand (form Dulanja) we need OpenID Connect [1] to fully
>>> integrate with web front-end. so we can keep the token in fount end (in JS)
>>> and do the call using REST. isn't that the way to go?
>>>
>>> [1] http://openid.net/connect/
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>>
>> *Johann Dilantha Nallathamby*
>> Associate Technical Lead & Product Lead of WSO2 Identity Server
>> Integration Technologies Team
>> WSO2, Inc.
>> lean.enterprise.middleware
>>
>> Mobile - *+9476950*
>> Blog - *http://nallaa.wordpress.com *
>>
>
>
>
> --
> With regards,
> *Manu*ranga Perera.
>
> phone : 071 7 70 20 50
> mail : m...@wso2.com
>  ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
*Anjana Fernando*
Senior Technical Lead
WSO2 Inc. | http://wso2.com
lean . enterprise . middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-03 Thread Isabelle Mauny

All,

Who is going to use those REST APIs ? And from where ? While I agree with all 
the discussion about making the APIs secure, it's kind of pointless without a 
usage context.
Generating/managing an OAuth token is not easy from the client side, if the 
REST APIs are used from a script for example, OAuth might not be optimal. Would 
the APIs be exposed externally for any reason ( to the general public ? ) - We 
had that problem with G-Reg before, with users incapable to integrate with 
G.REG due to the requirement of an OAuth token. Shouldn't we leave people a 
choice ? 

Isabelle.
__

Isabelle Mauny
VP, Product Management; WSO2, Inc.;  http://wso2.com/

On Feb 3, 2015, at 11:53 AM, Manuranga Perera  wrote:

> Hi Johann,
> so if a user is logged is using SAML, is there a way we call a OAuth2 API 
> form the front end js (via REST) directly without going through a proxy?
> 
> On Tue, Feb 3, 2015 at 11:22 PM, Johann Nallathamby  wrote:
> The discussion is about how to secure APIs, and OAuth2 is the popular choice 
> here.
> 
> How to do SSO to the web front end is a separate question and OpenID Connect 
> can be one possibility. Like others have mentioned in this thread above, 
> there can be other ways to login to the web front end, e.g. SAML2 SSO, 
> username/password, etc. Depending on the login mechanism there are other 
> grant types you may be able to use to secure APIs using OAuth2 such as SAML2 
> Bearer, Resource Owner Password, self-issued tokens, etc.
> 
> OpenID Connect might be the ideal choice, but right now the limitation we 
> have with OpenID Connect is that we don't support the session management 
> protocol which is required for single logout.
> 
> On Tue, Feb 3, 2015 at 5:18 AM, Manuranga Perera  wrote:
> Hi Johann,
> 
> As I understand (form Dulanja) we need OpenID Connect [1] to fully integrate 
> with web front-end. so we can keep the token in fount end (in JS) and do the 
> call using REST. isn't that the way to go?
> 
> 
> [1] http://openid.net/connect/
> 
> 
> 
> -- 
> Thanks & Regards,
> 
> Johann Dilantha Nallathamby
> Associate Technical Lead & Product Lead of WSO2 Identity Server
> Integration Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
> 
> Mobile - +9476950
> Blog - http://nallaa.wordpress.com
> 
> 
> 
> -- 
> With regards,
> Manuranga Perera.
> 
> phone : 071 7 70 20 50
> mail : m...@wso2.com
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-03 Thread Manuranga Perera

Hi Johann,
so if a user is logged is using SAML, is there a way we call a OAuth2 API
form the front end js (via REST) directly without going through a proxy?

On Tue, Feb 3, 2015 at 11:22 PM, Johann Nallathamby  wrote:

> The discussion is about how to secure APIs, and OAuth2 is the popular
> choice here.
>
> How to do SSO to the web front end is a separate question and OpenID
> Connect can be one possibility. Like others have mentioned in this thread
> above, there can be other ways to login to the web front end, e.g. SAML2
> SSO, username/password, etc. Depending on the login mechanism there are
> other grant types you may be able to use to secure APIs using OAuth2 such
> as SAML2 Bearer, Resource Owner Password, self-issued tokens, etc.
>
> OpenID Connect might be the ideal choice, but right now the limitation we
> have with OpenID Connect is that we don't support the session management
> protocol which is required for single logout.
>
> On Tue, Feb 3, 2015 at 5:18 AM, Manuranga Perera  wrote:
>
>> Hi Johann,
>>
>> As I understand (form Dulanja) we need OpenID Connect [1] to fully
>> integrate with web front-end. so we can keep the token in fount end (in JS)
>> and do the call using REST. isn't that the way to go?
>>
>> [1] http://openid.net/connect/
>>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Associate Technical Lead & Product Lead of WSO2 Identity Server
> Integration Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>



-- 
With regards,
*Manu*ranga Perera.

phone : 071 7 70 20 50
mail : m...@wso2.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-03 Thread Johann Nallathamby

The discussion is about how to secure APIs, and OAuth2 is the popular
choice here.

How to do SSO to the web front end is a separate question and OpenID
Connect can be one possibility. Like others have mentioned in this thread
above, there can be other ways to login to the web front end, e.g. SAML2
SSO, username/password, etc. Depending on the login mechanism there are
other grant types you may be able to use to secure APIs using OAuth2 such
as SAML2 Bearer, Resource Owner Password, self-issued tokens, etc.

OpenID Connect might be the ideal choice, but right now the limitation we
have with OpenID Connect is that we don't support the session management
protocol which is required for single logout.

On Tue, Feb 3, 2015 at 5:18 AM, Manuranga Perera  wrote:

> Hi Johann,
>
> As I understand (form Dulanja) we need OpenID Connect [1] to fully
> integrate with web front-end. so we can keep the token in fount end (in JS)
> and do the call using REST. isn't that the way to go?
>
> [1] http://openid.net/connect/
>

-- 
Thanks & Regards,

*Johann Dilantha Nallathamby*
Associate Technical Lead & Product Lead of WSO2 Identity Server
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - *+9476950*
Blog - *http://nallaa.wordpress.com *
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-02 Thread Manuranga Perera

Hi Johann,

As I understand (form Dulanja) we need OpenID Connect [1] to fully
integrate with web front-end. so we can keep the token in fount end (in JS)
and do the call using REST. isn't that the way to go?

[1] http://openid.net/connect/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-02-02 Thread Harshan Liyanage

+1 for using OAuth security for the APIs. Can't use guys use the API
everywhere concept in this use-case? So that you can simply have the OAuth
security for APIs.

Best Regards,

Lakshitha Harshan
Software Engineer
Mobile: *+94724423048*
Email: hars...@wso2.com
Blog : http://harshanliyanage.blogspot.com/
*WSO2, Inc. :** wso2.com *
lean.enterprise.middleware.

On Sun, Feb 1, 2015 at 7:30 AM, Maninda Edirisooriya 
wrote:

>
> +1 for OAuth and IMO in future we should move all authorization in admin
> services to OAuth throughout the Carbon. It will be definitely possible
> when we are moving from SOAP to REST with Carbon 5.
>
> On Wed, Jan 28, 2015 at 6:03 PM, Prabath Siriwardena 
> wrote:
>
>> +1 for using OAuth..
>>
>> Please also think of the cost of maintaining and provisioning keys
>> between  servers in a clustered setup and the requirement of have an OAuth
>> authorization server.
>>
>> Please see the approach suggested here [1] self-issued & self-contained
>> access tokens. This approach reduces all most all the overhead.
>>
>> [1]: http://blog.facilelogin.com/2014/10/self-issued-access-tokens.html
>>
>> Thanks & regards,
>> -Prabath
>>
>>
>>
>> On Wed, Jan 28, 2015 at 1:16 AM, Johann Nallathamby 
>> wrote:
>>
>>>
>>>
>>> On Tue, Jan 27, 2015 at 3:17 PM, Anjana Fernando 
>>> wrote:
>>>
 Hi,

 I guess our admin services are also accessible via basic auth, isn't
 it? .. We just thought, as a convenience method for the end user, they can
 use their username/password to access our API if required. So basically, if
 using OAuth, other than using SAML2 bearer token grant type or anything
 similar, is it possible to use the login username/password to our dashboard
 UI to generate the access token with resource owner credentials grant type
 maybe? ..

>>>
>>> This is also possible. But the access token has an finite expiry time.
>>> And it is not related to the browser session / not a moving window. So once
>>> it expires you must use the refresh token to get another access token. So
>>> this way user can login once and keep using APIs until they logout. Once
>>> they logout the access token can be revoked.
>>>
>>> Securing APIs with Basic Auth is also currently widely used. But it
>>> doesn't provide any advantage over OAuth2. So for future we should stick to
>>> OAuth2 only.
>>>
>>> For the validation of the OAuth2 token we should have a tomcat valve so
>>> that it can secure REST as well as SOAP services. I don't think we have
>>> written one all this time. Gihan if you are doing this can you sync up with
>>> IS team and lets finalize.
>>>
>>>
>>> Thanks,
>>> Johann.
>>>

 Cheers,
 Anjana.

 On Tue, Jan 27, 2015 at 2:42 PM, Supun Malinga  wrote:

> Hi Gihan,
>
> IMO using basic auth will make it vulnerable for dos attacks and less
> secure. So you need to think this thru.
>
> There is a possibility of authenticating already logged in users via
> the cookie data. But we will need to write a new cookie based oauth grant
> type for this. AFAIK we don't have such a grant type yet (Correct me if 
> I'm
> wrong).
>
> On your latest note I think you can use the SAML2 grant type [0].
>
> [0]
> https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype)
>
> thanks,
>
> On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha 
> wrote:
>
>> No. We thought, it might convenient for the end user if we provide
>> basic auth capabilities. We will integrate OAuth functionalities for our
>> REST APIs.
>>
>> Regarding our requirement,  We have multiple dashboards that validate
>> the user through single login page. How can we do the backend API
>> communication?
>>
>> Regards,
>> Gihan
>>
>> On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe <
>> sume...@wso2.com> wrote:
>>
>>> Any particular reason for securing product APIs using Basic Auth?
>>>
>>> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.
>>>
>>> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha 
>>> wrote:
>>>
 Hi All,

 We are going to use a set of REST API [1] to communicate with the
 data layer.  Basically, we are securing these REST APIs with basic
 auth. But we wanted to communicate with these REST APIs with already 
 logged
 in user as well. Reason is we have a plan to use  these REST API in our
 Message console dashboard and we want to have SSO kind of a logging
 solution for these dashboards without any individual login pages.

 So is it possible to use existing HTTP session cookie and
 authenticate REST API calls or do we have to use OAuth with some 
 specific
 grant types?

 Appreciate your inputs here?

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-31 Thread Maninda Edirisooriya

+1 for OAuth and IMO in future we should move all authorization in admin
services to OAuth throughout the Carbon. It will be definitely possible
when we are moving from SOAP to REST with Carbon 5.

On Wed, Jan 28, 2015 at 6:03 PM, Prabath Siriwardena 
wrote:

> +1 for using OAuth..
>
> Please also think of the cost of maintaining and provisioning keys between
>  servers in a clustered setup and the requirement of have an OAuth
> authorization server.
>
> Please see the approach suggested here [1] self-issued & self-contained
> access tokens. This approach reduces all most all the overhead.
>
> [1]: http://blog.facilelogin.com/2014/10/self-issued-access-tokens.html
>
> Thanks & regards,
> -Prabath
>
>
>
> On Wed, Jan 28, 2015 at 1:16 AM, Johann Nallathamby 
> wrote:
>
>>
>>
>> On Tue, Jan 27, 2015 at 3:17 PM, Anjana Fernando  wrote:
>>
>>> Hi,
>>>
>>> I guess our admin services are also accessible via basic auth, isn't it?
>>> .. We just thought, as a convenience method for the end user, they can use
>>> their username/password to access our API if required. So basically, if
>>> using OAuth, other than using SAML2 bearer token grant type or anything
>>> similar, is it possible to use the login username/password to our dashboard
>>> UI to generate the access token with resource owner credentials grant type
>>> maybe? ..
>>>
>>
>> This is also possible. But the access token has an finite expiry time.
>> And it is not related to the browser session / not a moving window. So once
>> it expires you must use the refresh token to get another access token. So
>> this way user can login once and keep using APIs until they logout. Once
>> they logout the access token can be revoked.
>>
>> Securing APIs with Basic Auth is also currently widely used. But it
>> doesn't provide any advantage over OAuth2. So for future we should stick to
>> OAuth2 only.
>>
>> For the validation of the OAuth2 token we should have a tomcat valve so
>> that it can secure REST as well as SOAP services. I don't think we have
>> written one all this time. Gihan if you are doing this can you sync up with
>> IS team and lets finalize.
>>
>>
>> Thanks,
>> Johann.
>>
>>>
>>> Cheers,
>>> Anjana.
>>>
>>> On Tue, Jan 27, 2015 at 2:42 PM, Supun Malinga  wrote:
>>>
 Hi Gihan,

 IMO using basic auth will make it vulnerable for dos attacks and less
 secure. So you need to think this thru.

 There is a possibility of authenticating already logged in users via
 the cookie data. But we will need to write a new cookie based oauth grant
 type for this. AFAIK we don't have such a grant type yet (Correct me if I'm
 wrong).

 On your latest note I think you can use the SAML2 grant type [0].

 [0]
 https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype)

 thanks,

 On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha 
 wrote:

> No. We thought, it might convenient for the end user if we provide
> basic auth capabilities. We will integrate OAuth functionalities for our
> REST APIs.
>
> Regarding our requirement,  We have multiple dashboards that validate
> the user through single login page. How can we do the backend API
> communication?
>
> Regards,
> Gihan
>
> On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe  > wrote:
>
>> Any particular reason for securing product APIs using Basic Auth?
>>
>> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.
>>
>> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha 
>> wrote:
>>
>>> Hi All,
>>>
>>> We are going to use a set of REST API [1] to communicate with the
>>> data layer.  Basically, we are securing these REST APIs with basic
>>> auth. But we wanted to communicate with these REST APIs with already 
>>> logged
>>> in user as well. Reason is we have a plan to use  these REST API in our
>>> Message console dashboard and we want to have SSO kind of a logging
>>> solution for these dashboards without any individual login pages.
>>>
>>> So is it possible to use existing HTTP session cookie and
>>> authenticate REST API calls or do we have to use OAuth with some 
>>> specific
>>> grant types?
>>>
>>> Appreciate your inputs here?
>>>
>>>
>>>
>>> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
>>> Indexing / Search
>>> --
>>> W.G. Gihan Anuruddha
>>> Senior Software Engineer | WSO2, Inc.
>>> M: +94772272595
>>>
>>
>>
>>
>> --
>> /sumedha
>> m: +94 773017743
>> b :  bit.ly/sumedha
>>
>
>
>
> --
> W.G. Gihan Anuruddha
> Senior Software Engineer | WSO2, Inc.
> M: +94772272595
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-28 Thread Prabath Siriwardena

+1 for using OAuth..

Please also think of the cost of maintaining and provisioning keys between
 servers in a clustered setup and the requirement of have an OAuth
authorization server.

Please see the approach suggested here [1] self-issued & self-contained
access tokens. This approach reduces all most all the overhead.

[1]: http://blog.facilelogin.com/2014/10/self-issued-access-tokens.html

Thanks & regards,
-Prabath



On Wed, Jan 28, 2015 at 1:16 AM, Johann Nallathamby  wrote:

>
>
> On Tue, Jan 27, 2015 at 3:17 PM, Anjana Fernando  wrote:
>
>> Hi,
>>
>> I guess our admin services are also accessible via basic auth, isn't it?
>> .. We just thought, as a convenience method for the end user, they can use
>> their username/password to access our API if required. So basically, if
>> using OAuth, other than using SAML2 bearer token grant type or anything
>> similar, is it possible to use the login username/password to our dashboard
>> UI to generate the access token with resource owner credentials grant type
>> maybe? ..
>>
>
> This is also possible. But the access token has an finite expiry time. And
> it is not related to the browser session / not a moving window. So once it
> expires you must use the refresh token to get another access token. So this
> way user can login once and keep using APIs until they logout. Once they
> logout the access token can be revoked.
>
> Securing APIs with Basic Auth is also currently widely used. But it
> doesn't provide any advantage over OAuth2. So for future we should stick to
> OAuth2 only.
>
> For the validation of the OAuth2 token we should have a tomcat valve so
> that it can secure REST as well as SOAP services. I don't think we have
> written one all this time. Gihan if you are doing this can you sync up with
> IS team and lets finalize.
>
>
> Thanks,
> Johann.
>
>>
>> Cheers,
>> Anjana.
>>
>> On Tue, Jan 27, 2015 at 2:42 PM, Supun Malinga  wrote:
>>
>>> Hi Gihan,
>>>
>>> IMO using basic auth will make it vulnerable for dos attacks and less
>>> secure. So you need to think this thru.
>>>
>>> There is a possibility of authenticating already logged in users via the
>>> cookie data. But we will need to write a new cookie based oauth grant type
>>> for this. AFAIK we don't have such a grant type yet (Correct me if I'm
>>> wrong).
>>>
>>> On your latest note I think you can use the SAML2 grant type [0].
>>>
>>> [0]
>>> https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype)
>>>
>>> thanks,
>>>
>>> On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha  wrote:
>>>
 No. We thought, it might convenient for the end user if we provide
 basic auth capabilities. We will integrate OAuth functionalities for our
 REST APIs.

 Regarding our requirement,  We have multiple dashboards that validate
 the user through single login page. How can we do the backend API
 communication?

 Regards,
 Gihan

 On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe 
 wrote:

> Any particular reason for securing product APIs using Basic Auth?
>
> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.
>
> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha 
> wrote:
>
>> Hi All,
>>
>> We are going to use a set of REST API [1] to communicate with the
>> data layer.  Basically, we are securing these REST APIs with basic
>> auth. But we wanted to communicate with these REST APIs with already 
>> logged
>> in user as well. Reason is we have a plan to use  these REST API in our
>> Message console dashboard and we want to have SSO kind of a logging
>> solution for these dashboards without any individual login pages.
>>
>> So is it possible to use existing HTTP session cookie and
>> authenticate REST API calls or do we have to use OAuth with some specific
>> grant types?
>>
>> Appreciate your inputs here?
>>
>>
>>
>> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
>> Indexing / Search
>> --
>> W.G. Gihan Anuruddha
>> Senior Software Engineer | WSO2, Inc.
>> M: +94772272595
>>
>
>
>
> --
> /sumedha
> m: +94 773017743
> b :  bit.ly/sumedha
>



 --
 W.G. Gihan Anuruddha
 Senior Software Engineer | WSO2, Inc.
 M: +94772272595

 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


>>>
>>>
>>> --
>>> Supun Malinga,
>>>
>>> Senior Software Engineer,
>>> WSO2 Inc.
>>> http://wso2.com
>>> email: sup...@wso2.com 
>>> mobile: +94 (0)71 56 91 321
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> *Anjana Fernan

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-28 Thread Johann Nallathamby

On Tue, Jan 27, 2015 at 3:17 PM, Anjana Fernando  wrote:

> Hi,
>
> I guess our admin services are also accessible via basic auth, isn't it?
> .. We just thought, as a convenience method for the end user, they can use
> their username/password to access our API if required. So basically, if
> using OAuth, other than using SAML2 bearer token grant type or anything
> similar, is it possible to use the login username/password to our dashboard
> UI to generate the access token with resource owner credentials grant type
> maybe? ..
>

This is also possible. But the access token has an finite expiry time. And
it is not related to the browser session / not a moving window. So once it
expires you must use the refresh token to get another access token. So this
way user can login once and keep using APIs until they logout. Once they
logout the access token can be revoked.

Securing APIs with Basic Auth is also currently widely used. But it doesn't
provide any advantage over OAuth2. So for future we should stick to OAuth2
only.

For the validation of the OAuth2 token we should have a tomcat valve so
that it can secure REST as well as SOAP services. I don't think we have
written one all this time. Gihan if you are doing this can you sync up with
IS team and lets finalize.


Thanks,
Johann.

>
> Cheers,
> Anjana.
>
> On Tue, Jan 27, 2015 at 2:42 PM, Supun Malinga  wrote:
>
>> Hi Gihan,
>>
>> IMO using basic auth will make it vulnerable for dos attacks and less
>> secure. So you need to think this thru.
>>
>> There is a possibility of authenticating already logged in users via the
>> cookie data. But we will need to write a new cookie based oauth grant type
>> for this. AFAIK we don't have such a grant type yet (Correct me if I'm
>> wrong).
>>
>> On your latest note I think you can use the SAML2 grant type [0].
>>
>> [0]
>> https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype)
>>
>> thanks,
>>
>> On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha  wrote:
>>
>>> No. We thought, it might convenient for the end user if we provide basic
>>> auth capabilities. We will integrate OAuth functionalities for our REST
>>> APIs.
>>>
>>> Regarding our requirement,  We have multiple dashboards that validate
>>> the user through single login page. How can we do the backend API
>>> communication?
>>>
>>> Regards,
>>> Gihan
>>>
>>> On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe 
>>> wrote:
>>>
 Any particular reason for securing product APIs using Basic Auth?

 Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.

 On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha 
 wrote:

> Hi All,
>
> We are going to use a set of REST API [1] to communicate with the data
> layer.  Basically, we are securing these REST APIs with basic auth. But we
> wanted to communicate with these REST APIs with already logged in user as
> well. Reason is we have a plan to use  these REST API in our Message
> console dashboard and we want to have SSO kind of a logging solution for
> these dashboards without any individual login pages.
>
> So is it possible to use existing HTTP session cookie and authenticate
> REST API calls or do we have to use OAuth with some specific grant types?
>
> Appreciate your inputs here?
>
>
>
> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
> Indexing / Search
> --
> W.G. Gihan Anuruddha
> Senior Software Engineer | WSO2, Inc.
> M: +94772272595
>



 --
 /sumedha
 m: +94 773017743
 b :  bit.ly/sumedha

>>>
>>>
>>>
>>> --
>>> W.G. Gihan Anuruddha
>>> Senior Software Engineer | WSO2, Inc.
>>> M: +94772272595
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> Supun Malinga,
>>
>> Senior Software Engineer,
>> WSO2 Inc.
>> http://wso2.com
>> email: sup...@wso2.com 
>> mobile: +94 (0)71 56 91 321
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Anjana Fernando*
> Senior Technical Lead
> WSO2 Inc. | http://wso2.com
> lean . enterprise . middleware
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Thanks & Regards,

*Johann Dilantha Nallathamby*
Associate Technical Lead & Product Lead of WSO2 Identity Server
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - *+9476950*
Blog - *http://nallaa.wordpress.com *
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-27 Thread Anjana Fernando

Hi,

I guess our admin services are also accessible via basic auth, isn't it? ..
We just thought, as a convenience method for the end user, they can use
their username/password to access our API if required. So basically, if
using OAuth, other than using SAML2 bearer token grant type or anything
similar, is it possible to use the login username/password to our dashboard
UI to generate the access token with resource owner credentials grant type
maybe? ..

Cheers,
Anjana.

On Tue, Jan 27, 2015 at 2:42 PM, Supun Malinga  wrote:

> Hi Gihan,
>
> IMO using basic auth will make it vulnerable for dos attacks and less
> secure. So you need to think this thru.
>
> There is a possibility of authenticating already logged in users via the
> cookie data. But we will need to write a new cookie based oauth grant type
> for this. AFAIK we don't have such a grant type yet (Correct me if I'm
> wrong).
>
> On your latest note I think you can use the SAML2 grant type [0].
>
> [0]
> https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype)
>
> thanks,
>
> On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha  wrote:
>
>> No. We thought, it might convenient for the end user if we provide basic
>> auth capabilities. We will integrate OAuth functionalities for our REST
>> APIs.
>>
>> Regarding our requirement,  We have multiple dashboards that validate the
>> user through single login page. How can we do the backend API
>> communication?
>>
>> Regards,
>> Gihan
>>
>> On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe 
>> wrote:
>>
>>> Any particular reason for securing product APIs using Basic Auth?
>>>
>>> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.
>>>
>>> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha 
>>> wrote:
>>>
 Hi All,

 We are going to use a set of REST API [1] to communicate with the data
 layer.  Basically, we are securing these REST APIs with basic auth. But we
 wanted to communicate with these REST APIs with already logged in user as
 well. Reason is we have a plan to use  these REST API in our Message
 console dashboard and we want to have SSO kind of a logging solution for
 these dashboards without any individual login pages.

 So is it possible to use existing HTTP session cookie and authenticate
 REST API calls or do we have to use OAuth with some specific grant types?

 Appreciate your inputs here?

 [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
 Indexing / Search
 --
 W.G. Gihan Anuruddha
 Senior Software Engineer | WSO2, Inc.
 M: +94772272595

>>>
>>>
>>>
>>> --
>>> /sumedha
>>> m: +94 773017743
>>> b :  bit.ly/sumedha
>>>
>>
>>
>>
>> --
>> W.G. Gihan Anuruddha
>> Senior Software Engineer | WSO2, Inc.
>> M: +94772272595
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Supun Malinga,
>
> Senior Software Engineer,
> WSO2 Inc.
> http://wso2.com
> email: sup...@wso2.com 
> mobile: +94 (0)71 56 91 321
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>

-- 
*Anjana Fernando*
Senior Technical Lead
WSO2 Inc. | http://wso2.com
lean . enterprise . middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-27 Thread Supun Malinga

Hi Gihan,

IMO using basic auth will make it vulnerable for dos attacks and less
secure. So you need to think this thru.

There is a possibility of authenticating already logged in users via the
cookie data. But we will need to write a new cookie based oauth grant type
for this. AFAIK we don't have such a grant type yet (Correct me if I'm
wrong).

On your latest note I think you can use the SAML2 grant type [0].

[0]
https://docs.wso2.com/display/AM170/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2(SAMLextensiongranttype)

thanks,

On Tue, Jan 27, 2015 at 1:48 PM, Gihan Anuruddha  wrote:

> No. We thought, it might convenient for the end user if we provide basic
> auth capabilities. We will integrate OAuth functionalities for our REST
> APIs.
>
> Regarding our requirement,  We have multiple dashboards that validate the
> user through single login page. How can we do the backend API
> communication?
>
> Regards,
> Gihan
>
> On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe 
> wrote:
>
>> Any particular reason for securing product APIs using Basic Auth?
>>
>> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.
>>
>> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha  wrote:
>>
>>> Hi All,
>>>
>>> We are going to use a set of REST API [1] to communicate with the data
>>> layer.  Basically, we are securing these REST APIs with basic auth. But we
>>> wanted to communicate with these REST APIs with already logged in user as
>>> well. Reason is we have a plan to use  these REST API in our Message
>>> console dashboard and we want to have SSO kind of a logging solution for
>>> these dashboards without any individual login pages.
>>>
>>> So is it possible to use existing HTTP session cookie and authenticate
>>> REST API calls or do we have to use OAuth with some specific grant types?
>>>
>>> Appreciate your inputs here?
>>>
>>>
>>>
>>> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
>>> Indexing / Search
>>> --
>>> W.G. Gihan Anuruddha
>>> Senior Software Engineer | WSO2, Inc.
>>> M: +94772272595
>>>
>>
>>
>>
>> --
>> /sumedha
>> m: +94 773017743
>> b :  bit.ly/sumedha
>>
>
>
>
> --
> W.G. Gihan Anuruddha
> Senior Software Engineer | WSO2, Inc.
> M: +94772272595
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Supun Malinga,

Senior Software Engineer,
WSO2 Inc.
http://wso2.com
email: sup...@wso2.com 
mobile: +94 (0)71 56 91 321
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-27 Thread Gihan Anuruddha

No. We thought, it might convenient for the end user if we provide basic
auth capabilities. We will integrate OAuth functionalities for our REST
APIs.

Regarding our requirement,  We have multiple dashboards that validate the
user through single login page. How can we do the backend API
communication?

Regards,
Gihan

On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe 
wrote:

> Any particular reason for securing product APIs using Basic Auth?
>
> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.
>
> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha  wrote:
>
>> Hi All,
>>
>> We are going to use a set of REST API [1] to communicate with the data
>> layer.  Basically, we are securing these REST APIs with basic auth. But we
>> wanted to communicate with these REST APIs with already logged in user as
>> well. Reason is we have a plan to use  these REST API in our Message
>> console dashboard and we want to have SSO kind of a logging solution for
>> these dashboards without any individual login pages.
>>
>> So is it possible to use existing HTTP session cookie and authenticate
>> REST API calls or do we have to use OAuth with some specific grant types?
>>
>> Appreciate your inputs here?
>>
>>
>>
>> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
>> Indexing / Search
>> --
>> W.G. Gihan Anuruddha
>> Senior Software Engineer | WSO2, Inc.
>> M: +94772272595
>>
>
>
>
> --
> /sumedha
> m: +94 773017743
> b :  bit.ly/sumedha
>



-- 
W.G. Gihan Anuruddha
Senior Software Engineer | WSO2, Inc.
M: +94772272595
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-26 Thread Sagara Gunathunga

On Tue, Jan 27, 2015 at 12:02 PM, Sumedha Rubasinghe 
wrote:

> Any particular reason for securing product APIs using Basic Auth?
>
> Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.
>

+1

Basically API- Everywhere is the platform level solution for this kind of
use cases.

Thanks !

>
> On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha  wrote:
>
>> Hi All,
>>
>> We are going to use a set of REST API [1] to communicate with the data
>> layer.  Basically, we are securing these REST APIs with basic auth. But we
>> wanted to communicate with these REST APIs with already logged in user as
>> well. Reason is we have a plan to use  these REST API in our Message
>> console dashboard and we want to have SSO kind of a logging solution for
>> these dashboards without any individual login pages.
>>
>> So is it possible to use existing HTTP session cookie and authenticate
>> REST API calls or do we have to use OAuth with some specific grant types?
>>
>> Appreciate your inputs here?
>>
>>
>>
>> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
>> Indexing / Search
>> --
>> W.G. Gihan Anuruddha
>> Senior Software Engineer | WSO2, Inc.
>> M: +94772272595
>>
>
>
>
> --
> /sumedha
> m: +94 773017743
> b :  bit.ly/sumedha
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Sagara Gunathunga

Senior Technical Lead; WSO2, Inc.;  http://wso2.com
V.P Apache Web Services;http://ws.apache.org/
Linkedin; http://www.linkedin.com/in/ssagara
Blog ;  http://ssagara.blogspot.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

2015-01-26 Thread Sumedha Rubasinghe

Any particular reason for securing product APIs using Basic Auth?

Products like G-Reg, CDM are using OAuth 2.0 tokens for this instead.

On Tue, Jan 27, 2015 at 11:53 AM, Gihan Anuruddha  wrote:

> Hi All,
>
> We are going to use a set of REST API [1] to communicate with the data
> layer.  Basically, we are securing these REST APIs with basic auth. But we
> wanted to communicate with these REST APIs with already logged in user as
> well. Reason is we have a plan to use  these REST API in our Message
> console dashboard and we want to have SSO kind of a logging solution for
> these dashboards without any individual login pages.
>
> So is it possible to use existing HTTP session cookie and authenticate
> REST API calls or do we have to use OAuth with some specific grant types?
>
> Appreciate your inputs here?
>
>
>
> [1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService /
> Indexing / Search
> --
> W.G. Gihan Anuruddha
> Senior Software Engineer | WSO2, Inc.
> M: +94772272595
>



-- 
/sumedha
m: +94 773017743
b :  bit.ly/sumedha
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] [BAM] [Security] Securing REST API

2015-01-26 Thread Gihan Anuruddha

Hi All,

We are going to use a set of REST API [1] to communicate with the data
layer.  Basically, we are securing these REST APIs with basic auth. But we
wanted to communicate with these REST APIs with already logged in user as
well. Reason is we have a plan to use  these REST API in our Message
console dashboard and we want to have SSO kind of a logging solution for
these dashboards without any individual login pages.

So is it possible to use existing HTTP session cookie and authenticate REST
API calls or do we have to use OAuth with some specific grant types?

Appreciate your inputs here?



[1] - [Architecture] BAM 3.0 REST APIs for AnalyticsDataService / Indexing
/ Search
-- 
W.G. Gihan Anuruddha
Senior Software Engineer | WSO2, Inc.
M: +94772272595
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

Re: [Architecture] [BAM] [Security] Securing REST API

[Architecture] [BAM] [Security] Securing REST API

17 matches

Site Navigation

Mail list logo

Footer information