subject:"Re\: \[Architecture\] What is the best\/wso2 way to authenticate REST endpoints."

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-14 Thread Ruchira Wageesha

On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka 
wrote:

> Hi all,
>
> I have implemented ES Publisher REST API in order to access and perform
> CRUD operations on ES -BackOffice.
>
> Each endpoint is authenticated by a valid Session-ID, passed to the
> endpoint in request header.
>
> In-order to obtain a session-ID we have implemented a separate
> authenticate REST endpoint. A user can send username and password in the
> POST request to this endpoint and if credentials are valid a session-id
> will be returned.
>
> Currently, no encryption or other (basic-aouth/aouth) authorization
> mechanism is yet implemented.
>
> What would be the lightweight and best way to secure this 'authentication'
> endpoint? Is there a particular wso2 way of doing this?
>
I assume you need to get a recommendation for securing all the REST APIs,
whether to use OAuth, Basic Auth etc. as you have secured it based on the
cookie, right??

Anyway, in order to secure the auth endpoint, you will have to at least use
HTTPS.

>
> Thanks!
> - Ayesha
>
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> 
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com 
>



-- 

*Ruchira Wageesha**Associate Technical Lead*
*WSO2 Inc. - lean . enterprise . middleware |  wso2.com *

*email: ruch...@wso2.com ,   blog:
ruchirawageesha.blogspot.com ,
mobile: +94 77 5493444*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-14 Thread Roshan Wijesena

Hi Ayesha,

IMO,if you have an intention to expose your API to third party developers
best way to secure is using oAuth2 where third party developer can generate
his consumer id/secret and generate an API token and use that token to
 access APIs. Wso2APIM is using that protocol.If you wish can use wso2IS as
a token-provider, but I believe in your case  basic-oAuth [1] over SSL
would be sufficient enough.

And why we need two REST apis here? we can validate user directly in your
CURD rest api?

[1] http://tools.ietf.org/html/rfc2617

On Wed, Oct 15, 2014 at 11:27 AM, Ruchira Wageesha  wrote:

>
>
> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka 
> wrote:
>
>> Hi all,
>>
>> I have implemented ES Publisher REST API in order to access and perform
>> CRUD operations on ES -BackOffice.
>>
>> Each endpoint is authenticated by a valid Session-ID, passed to the
>> endpoint in request header.
>>
>> In-order to obtain a session-ID we have implemented a separate
>> authenticate REST endpoint. A user can send username and password in the
>> POST request to this endpoint and if credentials are valid a session-id
>> will be returned.
>>
>> Currently, no encryption or other (basic-aouth/aouth) authorization
>> mechanism is yet implemented.
>>
>> What would be the lightweight and best way to secure this
>> 'authentication' endpoint? Is there a particular wso2 way of doing this?
>>
> I assume you need to get a recommendation for securing all the REST APIs,
> whether to use OAuth, Basic Auth etc. as you have secured it based on the
> cookie, right??
>
> Anyway, in order to secure the auth endpoint, you will have to at least
> use HTTPS.
>
>>
>> Thanks!
>> - Ayesha
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> 
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com 
>>
>
>
>
> --
>
> *Ruchira Wageesha**Associate Technical Lead*
> *WSO2 Inc. - lean . enterprise . middleware |  wso2.com *
>
> *email: ruch...@wso2.com ,   blog:
> ruchirawageesha.blogspot.com ,
> mobile: +94 77 5493444 <%2B94%2077%205493444>*
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Roshan Wijesena.
Senior Software Engineer-WSO2 Inc.
Mobile: *+94752126789*
Email: ros...@wso2.com
*WSO2, Inc. :** wso2.com *
lean.enterprise.middleware.
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-15 Thread Ayesha Dissanayaka

Hi Ruchira,

Yes, I need recommendation on how to secure all the REST API endpoints.
Currently publisher app use both HTTP and HTTPS. Since, publisher should be
secured I think we need to disable serving pages/apis in HTTP. In that way
these REST endpoints also will be only HTTPS enabled as they are served in
'{context}/publisher/apis/*.
WDYT?

Roshan,
Thank you for your suggestions.
We don't maintain two REST APIs, this is the same REST API we use
internally in ES client side and we expose to external clients (third party
developers).

Thanks!
- Ayesha

On Wed, Oct 15, 2014 at 12:00 PM, Roshan Wijesena  wrote:

> Hi Ayesha,
>
> IMO,if you have an intention to expose your API to third party developers
> best way to secure is using oAuth2 where third party developer can generate
> his consumer id/secret and generate an API token and use that token to
>  access APIs. Wso2APIM is using that protocol.If you wish can use wso2IS as
> a token-provider, but I believe in your case  basic-oAuth [1] over SSL
> would be sufficient enough.
>
> And why we need two REST apis here? we can validate user directly in your
> CURD rest api?
>
> [1] http://tools.ietf.org/html/rfc2617
>
> On Wed, Oct 15, 2014 at 11:27 AM, Ruchira Wageesha 
> wrote:
>
>>
>>
>> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi all,
>>>
>>> I have implemented ES Publisher REST API in order to access and perform
>>> CRUD operations on ES -BackOffice.
>>>
>>> Each endpoint is authenticated by a valid Session-ID, passed to the
>>> endpoint in request header.
>>>
>>> In-order to obtain a session-ID we have implemented a separate
>>> authenticate REST endpoint. A user can send username and password in the
>>> POST request to this endpoint and if credentials are valid a session-id
>>> will be returned.
>>>
>>> Currently, no encryption or other (basic-aouth/aouth) authorization
>>> mechanism is yet implemented.
>>>
>>> What would be the lightweight and best way to secure this
>>> 'authentication' endpoint? Is there a particular wso2 way of doing this?
>>>
>> I assume you need to get a recommendation for securing all the REST APIs,
>> whether to use OAuth, Basic Auth etc. as you have secured it based on the
>> cookie, right??
>>
>> Anyway, in order to secure the auth endpoint, you will have to at least
>> use HTTPS.
>>
>>>
>>> Thanks!
>>> - Ayesha
>>>
>>> --
>>> *Ayesha Dissanayaka*
>>> Software Engineer,
>>> WSO2, Inc : http://wso2.com
>>> 
>>> 20, Palmgrove Avenue, Colombo 3
>>> E-Mail: aye...@wso2.com 
>>>
>>
>>
>>
>> --
>>
>> *Ruchira Wageesha**Associate Technical Lead*
>> *WSO2 Inc. - lean . enterprise . middleware |  wso2.com *
>>
>> *email: ruch...@wso2.com ,   blog:
>> ruchirawageesha.blogspot.com ,
>> mobile: +94 77 5493444 <%2B94%2077%205493444>*
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Roshan Wijesena.
> Senior Software Engineer-WSO2 Inc.
> Mobile: *+94752126789*
> Email: ros...@wso2.com
> *WSO2, Inc. :** wso2.com *
> lean.enterprise.middleware.
>



-- 
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com

20, Palmgrove Avenue, Colombo 3
E-Mail: aye...@wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-16 Thread Dulanja Liyanage

Hi,

The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM
endpoint is one example.

If BasicAuth used, client side might have to store the username/password.

If OAuth used, and the API is accessed via a browser, user can be
redirected to the authorization Server to get authenticated, which removes
the risk of having user credentials at client side.

In either way, SSL should be used to avoid Man-in-the-middle attacks

Hope this helps.

Thanks
Dulanja

On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka 
wrote:

> Hi all,
>
> I have implemented ES Publisher REST API in order to access and perform
> CRUD operations on ES -BackOffice.
>
> Each endpoint is authenticated by a valid Session-ID, passed to the
> endpoint in request header.
>
> In-order to obtain a session-ID we have implemented a separate
> authenticate REST endpoint. A user can send username and password in the
> POST request to this endpoint and if credentials are valid a session-id
> will be returned.
>
> Currently, no encryption or other (basic-aouth/aouth) authorization
> mechanism is yet implemented.
>
> What would be the lightweight and best way to secure this 'authentication'
> endpoint? Is there a particular wso2 way of doing this?
>
> Thanks!
> - Ayesha
>
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> 
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com 
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Dulanja Liyanage
WSO2 Inc.
M: +94776764717
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-16 Thread Danushka Fernando

IMO storing username and password is not the recommended way. So +1 for
oauth security. May be we can have both oauth and basic auth if needed. But
if these endpoints are for third party developers who will write some
client code using it I think oauth is the best way.

Thanks & Regards
Danushka Fernando
Software Engineer
WSO2 inc. http://wso2.com/
Mobile : +94716332729

On Fri, Oct 17, 2014 at 10:17 AM, Dulanja Liyanage  wrote:

> Hi,
>
> The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM
> endpoint is one example.
>
> If BasicAuth used, client side might have to store the username/password.
>
> If OAuth used, and the API is accessed via a browser, user can be
> redirected to the authorization Server to get authenticated, which removes
> the risk of having user credentials at client side.
>
> In either way, SSL should be used to avoid Man-in-the-middle attacks
>
> Hope this helps.
>
> Thanks
> Dulanja
>
> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka 
> wrote:
>
>> Hi all,
>>
>> I have implemented ES Publisher REST API in order to access and perform
>> CRUD operations on ES -BackOffice.
>>
>> Each endpoint is authenticated by a valid Session-ID, passed to the
>> endpoint in request header.
>>
>> In-order to obtain a session-ID we have implemented a separate
>> authenticate REST endpoint. A user can send username and password in the
>> POST request to this endpoint and if credentials are valid a session-id
>> will be returned.
>>
>> Currently, no encryption or other (basic-aouth/aouth) authorization
>> mechanism is yet implemented.
>>
>> What would be the lightweight and best way to secure this
>> 'authentication' endpoint? Is there a particular wso2 way of doing this?
>>
>> Thanks!
>> - Ayesha
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> 
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com 
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Dulanja Liyanage
> WSO2 Inc.
> M: +94776764717
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-17 Thread Chan

I believe this is a perfect example for API Everywhere concept. In EMM -
some APIs are exposed to the devices with this concept. Basically a tomcat
valve validates the security tokens - the security protocol used here is
OAuth.

Another question I have on the BackOffice API is - whether this is the same
API used by the Publisher App itself?

Cheers~

On Fri, Oct 17, 2014 at 11:28 AM, Danushka Fernando 
wrote:

> IMO storing username and password is not the recommended way. So +1 for
> oauth security. May be we can have both oauth and basic auth if needed. But
> if these endpoints are for third party developers who will write some
> client code using it I think oauth is the best way.
>
> Thanks & Regards
> Danushka Fernando
> Software Engineer
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729
>
> On Fri, Oct 17, 2014 at 10:17 AM, Dulanja Liyanage 
> wrote:
>
>> Hi,
>>
>> The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM
>> endpoint is one example.
>>
>> If BasicAuth used, client side might have to store the username/password.
>>
>> If OAuth used, and the API is accessed via a browser, user can be
>> redirected to the authorization Server to get authenticated, which removes
>> the risk of having user credentials at client side.
>>
>> In either way, SSL should be used to avoid Man-in-the-middle attacks
>>
>> Hope this helps.
>>
>> Thanks
>> Dulanja
>>
>> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi all,
>>>
>>> I have implemented ES Publisher REST API in order to access and perform
>>> CRUD operations on ES -BackOffice.
>>>
>>> Each endpoint is authenticated by a valid Session-ID, passed to the
>>> endpoint in request header.
>>>
>>> In-order to obtain a session-ID we have implemented a separate
>>> authenticate REST endpoint. A user can send username and password in the
>>> POST request to this endpoint and if credentials are valid a session-id
>>> will be returned.
>>>
>>> Currently, no encryption or other (basic-aouth/aouth) authorization
>>> mechanism is yet implemented.
>>>
>>> What would be the lightweight and best way to secure this
>>> 'authentication' endpoint? Is there a particular wso2 way of doing this?
>>>
>>> Thanks!
>>> - Ayesha
>>>
>>> --
>>> *Ayesha Dissanayaka*
>>> Software Engineer,
>>> WSO2, Inc : http://wso2.com
>>> 
>>> 20, Palmgrove Avenue, Colombo 3
>>> E-Mail: aye...@wso2.com 
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> Dulanja Liyanage
>> WSO2 Inc.
>> M: +94776764717
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Chan (Dulitha Wijewantha)
Software Engineer - Mobile Development
WSO2 Inc
Lean.Enterprise.Mobileware
 * ~Email   duli...@wso2.com *
*  ~Mobile +94712112165*
*  ~Website   dulitha.me *
*  ~Twitter @dulitharw *
  *~Github @dulichan *
  *~SO @chan *
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-17 Thread Sameera Medagammaddegedara

> Another question I have on the BackOffice API is - whether this is the
> same API used by the Publisher App itself?

yeap

On Fri, Oct 17, 2014 at 4:09 PM, Chan  wrote:

> I believe this is a perfect example for API Everywhere concept. In EMM -
> some APIs are exposed to the devices with this concept. Basically a tomcat
> valve validates the security tokens - the security protocol used here is
> OAuth.
>
> Another question I have on the BackOffice API is - whether this is the
> same API used by the Publisher App itself?
>
> Cheers~
>
> On Fri, Oct 17, 2014 at 11:28 AM, Danushka Fernando 
> wrote:
>
>> IMO storing username and password is not the recommended way. So +1 for
>> oauth security. May be we can have both oauth and basic auth if needed. But
>> if these endpoints are for third party developers who will write some
>> client code using it I think oauth is the best way.
>>
>> Thanks & Regards
>> Danushka Fernando
>> Software Engineer
>> WSO2 inc. http://wso2.com/
>> Mobile : +94716332729
>>
>> On Fri, Oct 17, 2014 at 10:17 AM, Dulanja Liyanage 
>> wrote:
>>
>>> Hi,
>>>
>>> The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM
>>> endpoint is one example.
>>>
>>> If BasicAuth used, client side might have to store the
>>> username/password.
>>>
>>> If OAuth used, and the API is accessed via a browser, user can be
>>> redirected to the authorization Server to get authenticated, which removes
>>> the risk of having user credentials at client side.
>>>
>>> In either way, SSL should be used to avoid Man-in-the-middle attacks
>>>
>>> Hope this helps.
>>>
>>> Thanks
>>> Dulanja
>>>
>>> On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka 
>>> wrote:
>>>
 Hi all,

 I have implemented ES Publisher REST API in order to access and perform
 CRUD operations on ES -BackOffice.

 Each endpoint is authenticated by a valid Session-ID, passed to the
 endpoint in request header.

 In-order to obtain a session-ID we have implemented a separate
 authenticate REST endpoint. A user can send username and password in the
 POST request to this endpoint and if credentials are valid a session-id
 will be returned.

 Currently, no encryption or other (basic-aouth/aouth) authorization
 mechanism is yet implemented.

 What would be the lightweight and best way to secure this
 'authentication' endpoint? Is there a particular wso2 way of doing this?

 Thanks!
 - Ayesha

 --
 *Ayesha Dissanayaka*
 Software Engineer,
 WSO2, Inc : http://wso2.com
 
 20, Palmgrove Avenue, Colombo 3
 E-Mail: aye...@wso2.com 

 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


>>>
>>>
>>> --
>>> Dulanja Liyanage
>>> WSO2 Inc.
>>> M: +94776764717
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Chan (Dulitha Wijewantha)
> Software Engineer - Mobile Development
> WSO2 Inc
> Lean.Enterprise.Mobileware
>  * ~Email   duli...@wso2.com *
> *  ~Mobile +94712112165 <%2B94712112165>*
> *  ~Website   dulitha.me *
> *  ~Twitter @dulitharw *
>   *~Github @dulichan *
>   *~SO @chan *
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Sameera Medagammaddegedara
Software Engineer

Contact:
Email: samee...@wso2.com
Mobile: + 94 077 255 3005
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-18 Thread Udara Liyanage

Hi,

Having basic oauth with HTTPS is kind of secured as long as no third party
is invoking the APIs.



Touched, not typed. Erroneous words are a feature, not a typo.
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-19 Thread Ayesha Dissanayaka

Thank you everyone for your valuable inputs.

@Udara,
These API endpoints are used by ES publisher App itself and will be invoked
by authorized third party as well. In that way we have enabled accessing ES
back office via remote clients as well.

According to suggestions in this thread having aouth is the best way to
secure the endpoints which are exposed to third party.

We will decide whether to use basic-aouth/aouth or suppot both, and update
the thread on final outcome.

Thanks!
- Ayesha

On Sat, Oct 18, 2014 at 10:27 PM, Udara Liyanage  wrote:

> Hi,
>
> Having basic oauth with HTTPS is kind of secured as long as no third party
> is invoking the APIs.
>
>
>
> Touched, not typed. Erroneous words are a feature, not a typo.
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>

-- 
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com

20, Palmgrove Avenue, Colombo 3
E-Mail: aye...@wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-19 Thread Manoj Gunawardena

Hi,
+1 for OAuth2. Because publisher APIs can be use in mobile devices.
Ex -: customer implements mobile app to publish assets

Also need to think about how customer can extend (customize) the security
with our extension model.
Ex-: Customer writes a extended publisher API and need to give different
grant types and  roles

Also , I think better to maintain one security mechanism, rather than
secure some apis with oAuth2 and some apis with Basic Authentication.



Thanks

On Sun, Oct 19, 2014 at 1:12 PM, Ayesha Dissanayaka  wrote:

> Thank you everyone for your valuable inputs.
>
> @Udara,
> These API endpoints are used by ES publisher App itself and will be
> invoked by authorized third party as well. In that way we have enabled
> accessing ES back office via remote clients as well.
>
> According to suggestions in this thread having aouth is the best way to
> secure the endpoints which are exposed to third party.
>
> We will decide whether to use basic-aouth/aouth or suppot both, and update
> the thread on final outcome.
>
> Thanks!
> - Ayesha
>
> On Sat, Oct 18, 2014 at 10:27 PM, Udara Liyanage  wrote:
>
>> Hi,
>>
>> Having basic oauth with HTTPS is kind of secured as long as no third
>> party is invoking the APIs.
>>
>>
>>
>> Touched, not typed. Erroneous words are a feature, not a typo.
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> 
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com 
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Manoj Gunawardena
Tech Lead
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware
Mobile : +94 77 2291643
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

2014-10-22 Thread Harshan Liyanage

Hi,

Using OAuth will be beneficial & future-proof as well. You can use it
easily when the APIs are exposed to the public. +1 for using OAuth for API
Security.

Thanks,

Best Regards,

Lakshitha Harshan
Software Engineer
Mobile: *+94724423048*
Email: hars...@wso2.com
Blog : http://harshanliyanage.blogspot.com/
*WSO2, Inc. :** wso2.com *
lean.enterprise.middleware.

On Sun, Oct 19, 2014 at 7:29 PM, Manoj Gunawardena  wrote:

> Hi,
> +1 for OAuth2. Because publisher APIs can be use in mobile devices.
> Ex -: customer implements mobile app to publish assets
>
> Also need to think about how customer can extend (customize) the security
> with our extension model.
> Ex-: Customer writes a extended publisher API and need to give different
> grant types and  roles
>
> Also , I think better to maintain one security mechanism, rather than
> secure some apis with oAuth2 and some apis with Basic Authentication.
>
>
>
> Thanks
>
> On Sun, Oct 19, 2014 at 1:12 PM, Ayesha Dissanayaka 
> wrote:
>
>> Thank you everyone for your valuable inputs.
>>
>> @Udara,
>> These API endpoints are used by ES publisher App itself and will be
>> invoked by authorized third party as well. In that way we have enabled
>> accessing ES back office via remote clients as well.
>>
>> According to suggestions in this thread having aouth is the best way to
>> secure the endpoints which are exposed to third party.
>>
>> We will decide whether to use basic-aouth/aouth or suppot both, and
>> update the thread on final outcome.
>>
>> Thanks!
>> - Ayesha
>>
>> On Sat, Oct 18, 2014 at 10:27 PM, Udara Liyanage  wrote:
>>
>>> Hi,
>>>
>>> Having basic oauth with HTTPS is kind of secured as long as no third
>>> party is invoking the APIs.
>>>
>>>
>>>
>>> Touched, not typed. Erroneous words are a feature, not a typo.
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> 
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com 
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Manoj Gunawardena
> Tech Lead
> WSO2, Inc.: http://wso2.com
> lean.enterprise.middleware
> Mobile : +94 77 2291643
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

Re: [Architecture] What is the best/wso2 way to authenticate REST endpoints.

11 matches

Site Navigation

Mail list logo

Footer information