SHOW:
|
|
- or go back to the newest paste.
| 1 | (12:01:15) vwjuicew: mbarkley: Hi can I make you a question about your latest post on errai security? | |
| 2 | ||
| 3 | (12:01:55) mbarkley: vwjuicew: sure. what's your question? | |
| 4 | ||
| 5 | (12:02:29) vwjuicew: mbarkley: thanks, so I noticed that one can add @RestrictedAccess to a REST service | |
| 6 | ||
| 7 | (12:03:38) vwjuicew: mbarkley: but does that work only for client-server communication ? Because what I want to do is to secure my Rest services that are called from other applications | |
| 8 | ||
| 9 | (12:06:08) mbarkley: vwjuicew: it should be secure from all calls, provided the REST service is running in a CDI container and the Security Interceptor is configured as described in the docs | |
| 10 | ||
| 11 | (12:08:55) vwjuicew: mbarkley: hm ok thanks. But how does it validate when it's called from an external app, because in this case there's no user/role logged in? Should I check the docs to understand this ? | |
| 12 | ||
| 13 | (12:10:46) mbarkley: vwjuicew: so the "current errai user" is associated with the session. so if a third-party calls your rest service and there is no errai user associated with their session, the logic in your REST service will not be invoked | |
| 14 | ||
| 15 | (12:14:34) vwjuicew: mbarkley: ok, and is there a way to secure this in a different way or allow some third-parties to call this without an errai user? Or how could I simulate a errai user in the third-party? because it doesn't use errai | |
| 16 | ||
| 17 | (12:16:39) mbarkley: vwjuicew: do these third-parties need to authenticate themselves to use the service, or is the idea that you only want the REST service to be secure from within the errai app? | |
| 18 | ||
| 19 | (12:18:42) vwjuicew: mbarkley: currently we are not using any type of security. The idea is that the third-party should use some kind of authentication with our errai app to consume the rest services. | |
| 20 | ||
| 21 | (12:19:39) mbarkley: vwjuicew: ok. so i would suggest making another REST service for your third parties that allows them to login via the AuthenticationService | |
| 22 | ||
| 23 | (12:20:23) mbarkley: if you do that, they'll be able to access your secure REST service for as long as their session is valid | |
| 24 | ||
| 25 | (12:25:08) hpehl [~hpehl@redhat/jboss/hpehl] entered the room. | |
| 26 | ||
| 27 | (12:25:25) vwjuicew: mbarkley: hm, sounds good. So the idea is that the Login Rest service returns a User to the third-party, and it sends this user every time it calls another rest service ? | |
| 28 | ||
| 29 | (12:26:23) mbarkley: vwjuicew: returning the User isn't necessary. as long as you call AuthenticationService.login from in the login REST service, that will associate the user with their session | |
| 30 | ||
| 31 | (12:27:54) vwjuicew: mbarkley: ok, I'm sorry I don't have much experience with REST, so last question: a session token is sent every time we call a REST srvc, and Errai-Sec uses this to check authorization? | |
| 32 | ||
| 33 | (12:29:24) mbarkley: vwjuicew: effectively yes. | |
| 34 | ||
| 35 | (12:29:57) vwjuicew: mbarkley: ok, thank you so much, you've been very helpful ! :) | |
| 36 | ||
| 37 | (12:30:39) mbarkley: vwjuicew: no problem :) |
