blabno
commented
10 years ago Why client certs? If you insist on client certs then no need for basic auth.
Closed crised closed 10 years ago
blabno
commented
10 years ago Why client certs? If you insist on client certs then no need for basic auth.
crised
commented
10 years ago Because we need client certs for remote syslog anyway. How do we id a device using client cert? On Sep 13, 2013 3:26 AM, "Bernard Labno" notifications@github.com wrote:
Why client certs? If you insist on client certs then no need for basic auth.
— Reply to this email directly or view it on GitHubhttps://github.com/crised/electrical/issues/15#issuecomment-24375599 .
blabno
commented
10 years ago I've never used client certs. I have to learn it.
crised
commented
10 years ago Httpd will handle this, right? On Sep 13, 2013 8:31 AM, "Bernard Labno" notifications@github.com wrote:
I've never used client certs. I have to learn it.
— Reply to this email directly or view it on GitHubhttps://github.com/crised/electrical/issues/15#issuecomment-24388512 .
blabno
commented
10 years ago Well, apache may verify client cert, but it will not pass any info to jboss, unless jboss also listens on https. If jboss listens on https then we can employ standard JEE client-cert auth method, but i'm still new to that.
crised
commented
10 years ago Then let apache handle all this, if it pass apache its our device.
We might include something in the url to identify this.
Im also thinking in 2 ec2 micro instances, one for device feed other as normal front end. On Sep 13, 2013 8:35 AM, "Bernard Labno" notifications@github.com wrote:
Well, apache may verify client cert, but it will not pass any info to jboss, unless jboss also listens on https. If jboss listens on https then we can employ standard JEE client-cert auth method, but i'm still new to that.
— Reply to this email directly or view it on GitHubhttps://github.com/crised/electrical/issues/15#issuecomment-24388685 .
blabno
commented
10 years ago hm, Then we will have security constraints scattered accross apache and jboss.
crised
commented
10 years ago No security constraint at all in JBoss. Only mutual ssl authentication, done automatically by apache.
blabno
commented
10 years ago I suggest we use browser's built-in dialogs for Basic Auth. That way browser will keep credentials safely as long as it's opened. If would not do that but store credentials in AngularJS interceptor then when user hits "Refresh" window button credentials will be lost. I also advise not to store credentials in cookie as it would be high security risk.
luan-cestari
commented
10 years ago I think mutual authentication would help to make the transport secure and solve the credential problem (where only the clients we trust we will have the certificate of them).
I didn't understand the problem with the cookies. Another things that could help exposing the RESTFul services with security is OAuth2.
Regards!
On Wed, Sep 18, 2013 at 6:33 AM, Bernard Labno notifications@github.comwrote:
I suggest we use browser's built-in dialogs for Basic Auth. That way browser will keep credentials safely as long as it's opened. If would not do that but store credentials in AngularJS interceptor then when user hits "Refresh" window button credentials will be lost. I also advise not to store credentials in cookie as it would be high security risk.
— Reply to this email directly or view it on GitHubhttps://github.com/crised/electrical/issues/15#issuecomment-24651884 .
Luan Cestari
"All the gold which is under or upon the earth is not enough to give in exchange for virtue." Plato "At his best, man is the noblest of all animals; separated from law and justice he is the worst." "A true friend is one soul in two bodies." Aristotle
blabno
commented
10 years ago OAuth2 is total overkill. It's purpose is to allow access for 3rd party services on behalf of our user which is not the case in this project.
As to cookies I was writing about web client. AngularJS can intercept AJAX calls from web browser and in case of 401 response (Unauthorized) It can display login dialog. Once user types in the credentials then Angular uses them for each subsequent request. The problem appears when user refreshes browser window, because entire Angular (JavaScript) is reloaded and looses those credentials. Someone could say that we should store credentials in cookie, but that is very insecure to store username and password in a cookie. Thus I suggest to use browser built-in mechanism for Basic Auth. Remember, this is for web client only, not for the device.
crised
commented
10 years ago Basic auth for web client seem quite reasonable. Only the server needs to have certificate. On Sep 18, 2013 7:30 AM, "Bernard Labno" notifications@github.com wrote:
OAuth2 is total overkill. It's purpose is to allow access for 3rd party services on behalf of our user which is not the case in this project.
As to cookies I was writing about web client. AngularJS can intercept AJAX calls from web browser and in case of 401 response (Unauthorized) It can display login dialog. Once user types in the credentials then Angular uses them for each subsequent request. The problem appears when user refreshes browser window, because entire Angular (JavaScript) is reloaded and looses those credentials. Someone could say that we should store credentials in cookie, but that is very insecure to store username and password in a cookie. Thus I suggest to use browser built-in mechanism for Basic Auth. Remember, this is for web client only, not for the device.
— Reply to this email directly or view it on GitHubhttps://github.com/crised/electrical/issues/15#issuecomment-24654769 .
luan-cestari
commented
10 years ago Luan Cestari enviou um convite para você
Através do Twitter você fica conectado ao que está acontecendo neste momento com as pessoas e organizações que lhe interessam.
Aceitar convitehttps://twitter.com/i/fba8a110-a16d-4dd1-8218-85c65a3d666d
You can unsubscribe from receiving email notifications from Twitter at anytime. For general inquiries, please visit us at Twitter Support. Remover inscrição: https://twitter.com/i/o?t=1&iid=6ca153a77b5d4348ae193edc2cac5f62&uid=0&c=IuVwbCB3dgHZ7OvPJSZItaV%2B1VaIryQ%2FnTcpFB%2FFQIKx1xPBcAjeqFdRhoh%2FayiavxsKxKnQkz7KCfu37GOFDnhmlePVBvGZdp5duu1HBhSDM%2BA0flti4A%3D%3D&nid=9+26
Precisa de ajuda? https://support.twitter.com
@blabno Seems like we're going to use client certificate for remote logging the devices.
If we use client certificates, should we drop basic auth?
@rnicolau What do you think?
@luan-cestari What do you say?