AuthFilter needs to verify application keys & header encryption

11038
Reporter: mdoering
Assignee: mdoering
Type: Improvement
Summary: AuthFilter needs to verify application keys & header encryption
Priority: Critical
Resolution: Fixed
Status: Closed
Created: 2012-04-25 12:49:35.722
Updated: 2013-12-06 12:06:45.392
Resolved: 2012-05-03 21:02:26.444
        
Description: For trusted applications that can proxy other users we pass an application key that needs to be verified.
Currently we have a single hardcoded key that is trusted, but this needs to be externalized into some simple, configurable application key store. For example a simple properties file with appKey=property name and value=public key to be used for the encryption of the last part of the authentication header.

See Amazon: http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html]]>
    

Author: mdoering@gbif.org
Created: 2012-04-27 17:10:28.957
Updated: 2012-04-27 17:10:28.957
        
more resources:
http://docs.adroitlogic.org/display/esb/HTTP+Basic,+Digest,+NTLM+and+AWS+S3+Authentication
http://samritchie.net/2011/09/07/implementing-aws-authentication-for-your-own-rest-api/
    

Author: mdoering@gbif.org
Comment: using the property appkeys.file to point to a properties file with application keys and their secrets
Created: 2012-05-03 21:02:26.468
Updated: 2012-05-03 21:02:26.468