API tools faq
paste
vwjugow

chat about securing REST with Errai

vwjugow
May 9th, 2014
181
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.80 KB | None | 0 0
raw download clone embed print report
  1. (12:01:15) vwjuicew: mbarkley: Hi can I make you a question about your latest post on errai security?
  2. (12:01:55) mbarkley: vwjuicew: sure. what's your question?
  3. (12:02:29) vwjuicew: mbarkley: thanks, so I noticed that one can add @RestrictedAccess to a REST service
  4. (12:03:38) vwjuicew: mbarkley: but does that work only for client-server communication ? Because what I want to do is to secure my Rest services that are called from other applications
  5. (12:06:08) mbarkley: vwjuicew: it should be secure from all calls, provided the REST service is running in a CDI container and the Security Interceptor is configured as described in the docs
  6. (12:08:55) vwjuicew: mbarkley: hm ok thanks. But how does it validate when it's called from an external app, because in this case there's no user/role logged in? Should I check the docs to understand this ?
  7. (12:10:46) mbarkley: vwjuicew: so the "current errai user" is associated with the session. so if a third-party calls your rest service and there is no errai user associated with their session, the logic in your REST service will not be invoked
  8. (12:14:34) vwjuicew: mbarkley: ok, and is there a way to secure this in a different way or allow some third-parties to call this without an errai user? Or how could I simulate a errai user in the third-party? because it doesn't use errai
  9. (12:16:39) mbarkley: vwjuicew: do these third-parties need to authenticate themselves to use the service, or is the idea that you only want the REST service to be secure from within the errai app?
  10. (12:18:42) vwjuicew: mbarkley: currently we are not using any type of security. The idea is that the third-party should use some kind of authentication with our errai app to consume the rest services.
  11. (12:19:39) mbarkley: vwjuicew: ok. so i would suggest making another REST service for your third parties that allows them to login via the AuthenticationService
  12. (12:20:23) mbarkley: if you do that, they'll be able to access your secure REST service for as long as their session is valid
  13. (12:25:08) hpehl [~hpehl@redhat/jboss/hpehl] entered the room.
  14. (12:25:25) vwjuicew: mbarkley: hm, sounds good. So the idea is that the Login Rest service returns a User to the third-party, and it sends this user every time it calls another rest service ?
  15. (12:26:23) mbarkley: vwjuicew: returning the User isn't necessary. as long as you call AuthenticationService.login from in the login REST service, that will associate the user with their session
  16. (12:27:54) vwjuicew: mbarkley: ok, I'm sorry I don't have much experience with REST, so last question: a session token is sent every time we call a REST srvc, and Errai-Sec uses this to check authorization?
  17. (12:29:24) mbarkley: vwjuicew: effectively yes.
  18. (12:29:57) vwjuicew: mbarkley: ok, thank you so much, you've been very helpful ! :)
  19. (12:30:39) mbarkley: vwjuicew: no problem :)
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!