I am new to appengine. I will write application which consist of two parts.
1) Core written in app engine with REST interface for clients.
2) Client application written in J2EE on my other (not appengine) server. But here, client may use any other technology (android, swing etc.)
I dont know, how to handle authentication of users in this schema. I think that I am in the middle between standard login and installed applications.
The simplest solution that occured to me, that the client will request username+password, pass it to appengine application via https and it will authenticate.
But dont know how to synchronized the login with client app, because it will need also data from google applications...
Is there any solution or pre-prepared facility in Java how to handle this?
Thanks
You probably want to use OAuth for this; client login or using username+password is not a good way to do this, and informed users will be -- or SHOULD be -- hesitant to give away their passwords. There is a page for using OAuth within AppEngine applications written in Java which may be of use. There is also some support for Oauth in the GData client library for Java. The OAuth in the Google Data Protocol Client Libraries document may help you to understand how to use those features.
Related
I'm developing a RESTeasy JSON API under JBoss-As 7.
I have another separate web-server.
I am developing with JAVA on server-side, and on client-side with Javacript, JQuery, AJAX.
So, I have 2 distinct *war*s, let say they can be accessed as following:
https.//localhost:8443/services
http.//localhost:8080/web
Now I want to secure these two guys; RESTeasy API and web-server.
Let me tell about my structure:
I keep the users in DB with username-password. These are the only users for now.
I have a login page to authenticate my users (I don't want http basic auth popup and any workaround about that)
The clients of REST API are browsers (not web server). The static page is load, and then some other dynamic things are load through REST API, calling within from browser using JQuery, AJAX, whatever.
All communication can be through SSL/TLS, no problem.
For the future, scalability (clients other than web-browsers, ability to authenticate with social network logins, etc.) should be in mind.
My scenario is as following:
Client is browser.
Client wants to access a web page web/aaa.html which is restricted to authenticated users.
Client is redirected to login page: web/login.html
Client filled the FORM and sent to ... either,
a) to the rest-api, or
b) to web-server,
not sure (So, here you have an implicit question).
But in any case, what a or b should do is the same:
Check username-password. Let say they are checked and the user is authenticated.
From now on, I should have got these two things at the same time:
1- Client is authorized to navigate the restricted pages.
2- Client will be authorized on REST API calls.
So, I need these 2 things at the same time happen, after authenticating in login page.
I have read lots of things, about authorization in REST API, with tokens, keys, etc. and yes I also have heard about Spring Security, Apache Shiro, etc.
And yes, I do not want to implement a new security framework by own and I will use one. I imagine that some framework can produce/check tokens etc. for me.
Before Spring Security and Apache Shiro, I want to know about resteasy skeleton key JBoss module.
There are these sources:
https://github.com/resteasy/Resteasy/tree/3.0.1.Final/jaxrs/examples/oauth2-as7-example
http://docs.jboss.org/resteasy/docs/3.0-beta-2/userguide/html/oauth2.html
But, they didn't seem to me very explicative, and also I am not sure if they are what I need.
Is there someone who knows how to configure skeleton key (or in general JBoss App layer) and give me useful example to achieve what I've described, please?
Or, could you give me some other advice/example to achieve my goal, especially noting that my question is about "how to implement"? I don't see where to begin.
Thanks in advance.
For securing REST Services, We can use following framework
OAuth (Open source - RFC6749)
Apigee
I have a diagram editor application (client), which is written in javascript. I need to take the model of the diagrams (can be transformed to text), and synchronise it with my GAE Java application which will be my backend. The application will then store this model on cloud, or send it to other clients. (as a result many people work on same diagrams)
This is a totally new field to me, and even though I completed some of the tutorials google provides, and gone through documentation, I am not sure how the connection will be done (tutorials used JSP).
What is the most straight- forward approach into connecting a Java
application (GAE) with a JS client ?
p.s: I have read about ajax, but I dont know if its the right solution for this, or if there is a better one.
What is the most straight- forward approach into connecting a Java
application (GAE) with a JS client ?
Through an API built on HTTP. Your JAVA web app can expose certain endpoints. You can then use Javascript to make http requests, (through AJAX) to your java web api). This is currently the defacto way of communicating from front end with javascript to any backend service.
There will be some trickiness to supporting real time collaboration between clients.
Additionally, there has been increasing support for websockets, which allows you to open a persistant connection between your client and your server, i don't know if java on GAE supports it though...
I am working on writing a private REST API with Play! that I will make calls to from a mobile application and I am confused about how to keep it secure.
When working through the Yet Another Blog Engine example in Play!'s documentation, I worked through their authentication example, and it deals with logging in through a browser. From what I understand about Play!'s Secure module, it helps with browser sessions. Additionally, every StackOverflow question I have seen has been involved with an administration module on the web and the questions have been pertaining to sessions as well.
Does the Play! framework have any built in mechanism to prevent session hijacking?
Enforce Https routing for login with play framework
My current understanding of how the security should work:
The mobile app "logs in" to the web app and obtains some kind of token
With each subsequent call the token is appended to the end of the API call
If the mobile user "logs out" or the token expires, the web app removes the token
Every API call uses HTTPS in order to maintain security
Is it possible for me to make an HTTP request from the mobile application to the web application I create using Play! Framework while keeping it secure?
Am I approaching the whole situation incorrectly?
This is the first Play! app I have created and this is the first time I have used Heroku. I am not too far in that I would be opposed to switching to something else if it were significantly easier/more efficient/better suited to solve this problem.
EDIT: Also, in Play!'s YABE tutorial, it seems like they check the password in plain text. Just from a general standpoint, how is that not a security issue?
EDIT 2: I have looked over OAuth provider information and it seems to solve the problem. My only apprehension with it is that v2.0 has known security flaws and v1.0 seems complicated to implement for a situation where all I need is a secure connection between a mobile app and a web app. If I were to make every call require SSL, could I make each Play method just take username and password as parameters and disregard OAuth completely?
Your example of having a mobile application authorize itself with a web application is achieved with an authorization framework like OAuth. This allows the web app to let the user login then issue an access token to the mobile app for making requests as that user, without the mobile app having to deal with the user's password.
Have a look at an OAuth provider module for Play. If you Google, you might find an OAuth client module for Play, but that's for the other side of OAuth, allowing your web app to authorize against a 3rd party provider. You'd then use an OAuth client library in your mobile app to deal with acquiring an access token.
It could even be a generic Java libary for OAuth - the Play 2.0 documentation for OAuth states that it hasn't provided an OAuth 2.0 module because it's simple enough not to even need a library. However there are a few Java libraries available.
Here's a project where somebody's put together some OAuth provider stuff with Play (referenced from this forum post):
https://github.com/mashup-fm/playframework-oauthprovider
I'm looking to roll my own simple user authentication as part of a iOS / GAE app. I'm not wanting to use 3rd party libs such as spring.
I have an iOS client from which I'd like to offer the option to create a profile (hashed UDID, password). Store the login details (keychain?) and auto-login to GAE each time my App starts.
I'm thinking simple HTTP basic-authentication. B64 decode (GAE API for this?), then use the hashed UDID as Key into my various datastore Entities via low level data store API. Then generate some kind of unique session ID (GAE API for this?) to pass around as a URL parameter.
I have fairly good Java/Objective-c experience, but it's my first 'cloud' type app and I have a security concerns about the above approach. Not least because I didn't find any java examples of solving what must be a fairly common problem, which makes me think I'm missing something :)
Some things I'm not sure how to solve;
The URLs could easily be 'network sniffed' or 'binary scanned' from the App opening me up to the possibility of DOS/GAE app abuse.
Is it worth to try and secure the traffic via HTTPS, and is there a way to do this between iOS and GAE (I've never used SSL)
Could I combine this approach with an administration page that would use google authentication.
Does GAE have any built in DOS protection or would I also need to combine that into my authentication approach?
Without GAE threads how do I invalidate a session after a certain amount of time, taskQueue?
I'm new to GAE and excited to get past this first hurdle, so any tips advice is much appreciated!
Some of my experiences though I'm using python you might find some of the observations I make helpful:
You might want to consider OAuth 2.0 as authentication model since it works with most providers.
I first chose a Javascript / OpenID + custom login and now I use serverside OAuth 2.0 + custom login. (I had considered using http://www.janrain.com/ if you're thinkning altenatives to rolling your own.)
A third option for you is to take a custom authentication that is already included with a Java CMS for app engine that already has an authentication system.
You can make a completely custom /admin interface completely separate from the user experience so app engine will be preferable for you since it gives you a lot of control over the code.
If you want to look how a larger Java CMS for GAE does it then you could check in http://www.vosao.org/
I have a django front end which the client will log into. media streams selectable from the django ui will be served from a wowza server. The wowza server needs to know that the user has permission to view the media resource.
Wowza supports java packages so I can insert user authentication into my wowza app to control access to media resources.
I own/control both servers, so I can configure a secure connection between them.
I think i should be looking into something like Oauth to pass credentials, but I am not certain as I have never looked into how to pass user authentication between two web services before.
So I think my question is: Is Oauth the appropriate mechanism to use? and if so, whats the basic requirements in terms of the django package and Java pacakge to use?
Or, is a single sign solution like this one more appropriate SSO (Single sign on ) in MVC
What do not try RemoteUser backend to authenticate and use http info from REMOTE_USER variable?