You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@manifoldcf.apache.org by "Karl Wright (JIRA)" <ji...@apache.org> on 2015/04/01 13:03:52 UTC

[jira] [Commented] (CONNECTORS-1177) Add authentication support for REST api

    [ https://issues.apache.org/jira/browse/CONNECTORS-1177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14390386#comment-14390386 ] 

Karl Wright commented on CONNECTORS-1177:
-----------------------------------------

r1670614 (trunk)


> Add authentication support for REST api
> ---------------------------------------
>
>                 Key: CONNECTORS-1177
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1177
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: API
>    Affects Versions: ManifoldCF 1.8.2, ManifoldCF 2.0.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: ManifoldCF 1.9, ManifoldCF 2.1
>
>
> Best practices, as far as I can tell, are here:
> https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
> {code}
> RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie. Usernames, passwords, session tokens, and API keys should not appear in the URL, as this can be captured in web server logs, which makes them intrinsically valuable. 
> {code}
> There's nothing intrinsically wrong with using standard web application session management as a means of managing sessions.  The only potential complication is the java session ID on the URL -- but that can be disabled at the web application level.
> The other complication is session expiration.  Sessions must eventually expire; we will need to signal that by returning a 403 HTTP code should that occur.
> In order to make this work, we need to add a LOGIN post request, whose job it is to establish a session and verify credentials.  The credentials can be placed in the properties.xml file for now, as is done for the web UI.  ALL requests to the API must verify the contents of the credentials bean in order for this to work.  This can be done by simply coding the check at the API's servlet implementation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)