Avoiding Administrator virtual user account

Currently we do use this Administrator account for REST calls and the username/password is in configuration files for REST Calls. For security purpose we would like to avoid having password in config files. Is there any better ways for REST Calls to be authenticated ? We prefer using Administrator username for REST Calls but would like to avoid password being hard coded for rest calls. Let us know for suggestions.

0 votes

1 answers

989 views

ANSWER



Hi,

Nuxeo supports several authentication solutions. Choosing the right one depends on what you want to do.

Client side certificate

You can use client side certificate, use an Apache reverse proxy to do the certficate validation and use Nuxeo mod_sso plugin on the Nuxeo side to handle the login.

http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups

Server 2 server authentication

You can use the portal_sso authentication plugin that allows to define a secret key between the 2 servers.

http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups

NB : support is already included in the java AutomationClient

Use OAuth 1.0

Nuxeo can be an OAuth service provider, so if you client app can use OAUth this may be an option.

http://doc.nuxeo.com/display/ADMINDOC56/Using+OAuth

Tiry

0 votes



So can we use te portal_sso authentication though there is no SSO sever at this time and just for the purpose of application making REST Calls using HttpAutomationClient ? Do we still need virtual user Administrator here or does it use a different user account ? If Administrator virtual user is still used in the portal_sso , can we remove password from the config file where the Administrator virtual user is created ? Also if we use portal_sso auth with shared key, do we still store the shared key in config file ? Does it mean someone can login to Admin console using the shared key from config file ? Is it encrypted ? Please give us details to address the security concern here ?
09/13/2012