Currently, The goal of ATHENA-Security is simply to enforce that web-clients using ATHENA are authorized to do so. We aren't (yet) concerned with users, access control, LDAP, etc..
Upsides to putting this on Apache:
- It's been done
- It's been tested
- It's a fairly common solution
- mod_proxy and mod_security are open source
- Offers some more routing and balancing solutions for ATHENA components
Downsides:
- We're trying *really* hard to avoid technology lock-in. Mandating that ATHENA installations use Apache runs contrary to that.
- ATHENA installations can't be "secure" unless sitting behind Apache
I figured that most ATHENA installs will be behind a webserver of some sort, but making that part of the package feels wrong for some reason.
Thoughts, please.
Gary
--
Gary Moore | gary....@fracturedatlas.org | @gsmoore
Fork us on Github: http://github.com/fracturedatlas/
Join us on IRC: ##athena on irc.freenode.net
Digest Authentication would be pretty nasty for user authentication, but
it seems like a great fit for client authentication in this case.
> --
> Visit: http://athena.fracturedatlas.org/tix
> Fork: http://github.com/fracturedatlas
> Chat: ##athena on Freenode
>
> You received this email because you are subscribed to the "ATHENA Tix
> Developers" group on Google Groups.
>
> To post, email: athena-t...@googlegroups.com
> To unsubscribe, email: athena-tix-dev...@googlegroups.com
> For more, visit: http://groups.google.com/group/athena-tix-devel?hl=en
(mobile)
On Jan 3, 2011, at 5:03 PM, Gary Moore <gary....@fracturedatlas.org> wrote:
> Re-inventing all this stuff at the web-application level, while cool, could be redundant.
My security geek friends advocate for avoiding the reinvention of security stuff if at all possible, on the basis that it's often hard to get right.
Thumbs up re-use!
-C
http://www.kyle-jensen.com/secure-your-api-with-two-legged-oauth
http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
--------------------------------------------------
From: "Christopher Ashworth" <ch...@figure53.com>
Sent: Monday, January 03, 2011 10:48 PM
To: <athena-t...@googlegroups.com>
Subject: Re: [athena-tix-devel] Security at the ATHENA level or the
webserver level?
>
>
Right now, ATHENA only cares about what client application is talking to ATHENA. ATHENA does not care about *what user is logged into that application*
Eventually, though, ATHENA will care. If we use, say, Digest Authentication to authenticate the client, will that interfere with whatever solution we use to authenticate the user? Will it be difficult for clients to implement client authentication with Digest AND user authentication with OAuth (or whatever)?
Or, at the the point where we care about users, do we stop caring about clients? (I argue that we still care about the client).
This was my original argument for API-key auth for clients. It's simple to implement and doesn't preclude end-use authentication schemes.
Gary
And yeah, it basically *is* API-key auth (this is exactly what I'm
currently using it for) in so far as it's just a username (i.e. client
identifier) and password (i.e. API key). It just has the added benefit
that you never have to send a password over plaintext, even if you don't
have an SSL-encrypted connection.
(FWIW, I agree that we always have to be concerned with the client.)
I don't know much about 2-legged OAuth, but I do have experience with
Digest. Digest authentication is handled entirely via HTTP headers, so as
far as I know it shouldn't preclude any other mechanism for authenticating
end users, including OAuth. As long as we're committed to API calls being
made over HTTP, then we'll always have headers to deal with and there's no
reason that I can think of that Digest wouldn't work.
And yeah, it basically *is* API-key auth (this is exactly what I'm
currently using it for) in so far as it's just a username (i.e. client
identifier) and password (i.e. API key). It just has the added benefit
that you never have to send a password over plaintext, even if you don't
have an SSL-encrypted connection.
(FWIW, I agree that we always have to be concerned with the client.)
> -----Original Message-----
> From: athena-t...@googlegroups.com [mailto:athena-tix-
> de...@googlegroups.com] On Behalf Of Gary Moore
Digest and OAuth would only conflict if they both needed to be used for client authentication, right? Or are you saying that using Digest for the client authentication would somehow preclude using OAuth for the user authentication?
Digest and OAuth would only conflict if they both needed to be used for client authentication, right? Or are you saying that using Digest for the client authentication would somehow preclude using OAuth for the user authentication?
"Digest and OAuth would only conflict if they both needed to be used for client authentication, right?"
They are compatible in that they don't use the same header names (except maybe "nonce" have to double check). The problem is ease of client implementation. There are client-side libraries that support both, but I'm sure they woul dbe had to work in concert together (arts reference!)
Stjepan,
I'm a big fan of OAuth2, but the reliance on SSL hurts a bit. We're trying not to require SSL for all ATHENA implementations.
You also expressed concerns about ease/speed of development. Apache makes
it super simple to deploy server-side digest authentication... Is there an
existing open source Java library that could accomplish the same thing
with OAuth2?
> -----Original Message-----
> From: athena-t...@googlegroups.com [mailto:athena-tix-
> de...@googlegroups.com] On Behalf Of Gary Moore
> Sent: Tuesday, January 04, 2011 10:39 PM
> To: athena-t...@googlegroups.com
> Subject: Re: [athena-tix-devel] Security at the ATHENA level or the
> webserver level?
>
> devel+un...@googlegroups.com
> Visit: http://athena.fracturedatlas.org/tix
> Fork: http://github.com/fracturedatlas
> Chat: ##athena on Freenode
>
> You received this email because you are subscribed to the "ATHENA Tix
> Developers" group on Google Groups.
>
> To post, email: athena-t...@googlegroups.com
> To unsubscribe, email: athena-tix-dev...@googlegroups.com
> For more, visit: http://groups.google.com/group/athena-tix-devel?hl=en
>
> --
> Visit: http://athena.fracturedatlas.org/tix
> Fork: http://github.com/fracturedatlas
> Chat: ##athena on Freenode
>
> You received this email because you are subscribed to the "ATHENA Tix
> Developers" group on Google Groups.
>
> To post, email: athena-t...@googlegroups.com
> To unsubscribe, email: athena-tix-dev...@googlegroups.com
> For more, visit: http://groups.google.com/group/athena-tix-devel?hl=en
>
> --
> Gary Moore | gary....@fracturedatlas.org | @gsmoore
> Fork us on Github: http://github.com/fracturedatlas/
> Join us on IRC: ##athena on irc.freenode.net
>
Thanks much for the comments.
I propose to use Digest Auth for Authing Client Applications in ATHENA 1.0. The reasons are outlined below:
0) The data provided by ATHENA is too sensitive to rely simply on an API key. Accessing ATHENA with only an API key is akin to using an API key for your database access.
1) Digest is widely supported by both server and client libraries.
2) It is implementable at different levels. ATHENA implementors can turn it on at the Apache, Web Container, or ATHENA level without impact to Client Applications.
3) Digest is supported by our testing tools: RESTClient and curl. It is also supported within Jersey, the framework on which we built our HTTP/JSON endpoints
4) OAuth1 is being superseded by OAuth2
5) OAuth2 requires SSL and we don't want to have to require it in kind.
6) This at least gives us a story to stick to when migrating to user auth at some later date. The Client Application can replace its credentials with that of the user.
Thanks, all. Drop into our Athena Chatroom on Freenode if you've got a sec: ##athena