Support CORS and SAML auth?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Support CORS and SAML auth?

Alec
CORS or, Cross Origin Resource Sharing allows servers to accept cross origin AJAX requests.

If lightblue-rest supported this (just add a few extra response headers basically) and a SAML login module as an alternative to the cert based authentication, to me it seems like it might be possible to develop client-side applications that are secure without requiring an application server with a certificate to proxy all requests to lightblue.

The application server could enforce SAML authentication for static content requests (HTML/CSS/JS), but after that all REST communication could be done against a lightblue REST interface directly, using SAML for authenticating and authorizing the user (roles from the SAML assertion).

Pro:
- Performance (less network traffic)
- User's roles enforced directly by lightblue (no possibility of a privileged application mistakenly allowing a user to do more than they should be able to)
- No need for additional per application config (certs, user, roles)

Con:
- Is SAML less secure than certificate auth?
- Expose lightblue endpoint (is this a con? If I understand correctly it would probably be visible to outside world in most situations anyway)

Thoughts?

Reference:
http://www.html5rocks.com/en/tutorials/cors/
http://www.developerscrappad.com/1781/java/java-ee/rest-jax-rs/java-ee-7-jax-rs-2-0-cors-on-rest-how-to-make-rest-apis-accessible-from-a-different-domain/
Reply | Threaded
Open this post in threaded view
|

Re: Support CORS and SAML auth?

Alec
This would also allow for applications to exist that don't have a dedicated app server at all: the application is downloaded once in its entirety. In other words, a packaged web application. See:

https://developer.chrome.com/apps/about_apps
https://developer.mozilla.org/en-US/Marketplace/Options/Packaged_apps

...which also comfortably port to mobile as standalone applications. Or at least, that's the idea as mobile and HTML5 progress.

Example packaged app: http://www.getpostman.com/
Reply | Threaded
Open this post in threaded view
|

Re: Support CORS and SAML auth?

jewzaam
Administrator
In reply to this post by Alec
Con:
- Is SAML less secure than certificate auth?
- Expose lightblue endpoint (is this a con? If I understand correctly it would probably be visible to outside world in most situations anyway)


No, SAML is not less secure.  We actually want to do cert auth and saml for the rest API's but hit a bug ().
I like the idea of removing the need for the servlet for apps to authenticate through.  So big +1 there.  Given each request must authenticate I don't know that there's any risk added by adding CORS.  I did some work with it a while go around Swagger UI.  I dug up that code and pushed it to github:

https://github.com/jewzaam/hystrixexample

Might be useful.  CORS was necessary to get swagger ui working I think so that's why it was part of this example.