Month: February 2014

How to effectively build a hybrid SaaS API management strategy


IoT, API, Big Data, Mobile, SOA, Cloud & Security Blog

– By Andy Thurai (@AndyThurai) and Blake Dournaee (@Dournaee). This article was originally published on Gigaom

Summary: Enterprises seeking agility are turning to the cloud while those concerned about security are holding tight to their legacy, on-premise hardware. But what if there’s a middle ground?

If you’re trying to combine both a legacy and a cloud deployment strategy without having to do everything twice a hybrid strategy might offer the best of both worlds. We discussed that in our first post API Management – Anyway you want it!.

In that post, we discussed the different API deployment models as well as the need to understand the components of API management, your target audience and your overall corporate IT strategy. There was a tremendous readership and positive comments on the article. (Thanks for that!). But, there seem to be a little confusion about one particular deployment model we…

View original post 818 more words

Advertisements

OAuth2 with Apache CXF


Securing Restful Web Services with OAuth2

An overview on the OAuth2 security authorization protocol and its implementation with Apache CXF.

Quick Background

OAuth and OAuth2 protocols are two successive versions of an open protocol that allows you to protect your valuable web application resources against an unauthorized access, in a simple and standard method. In this post, we will assume that the resources to be protected are being served by a set of Restfull web services. These Restfull are supposed to be taught, how to protect the resources that they serve in order to assuming the responsibility of judging an access request, and deciding whether to accept it, or to reject it.

OAuth2 is the second and latest version of this protocol that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or…

View original post 1,840 more words

Workshop: Identity & Access Control for modern Web Applications and APIs


leastprivilege.com

Brock and I are currently working on a brand new two day workshop about all things security when building modern web applications and APIs.

You can either attend the full two day version at NDC Oslo (June) – or a stripped down one day version at SDD London (May). Both still have early bird offerings.

Hope to see you!

With ASP.NET MVC, Web API and SignalR tied together using the new OWIN and Katana framework, Microsoft provides a compelling server-side stack to write modern web applications and services. In this new world we typically want to connect client platforms like iOS, Windows or Android as well as JavaScript-based applications using frameworks like AngularJS.

This two day workshop is your chance to dive into all things security related to these new technologies. Learn how to securely connect native and browser-based applications to your back-ends and integrate them with enterprise identity management…

View original post 121 more words

Typical CXF OAuth2 Implementation Flow


Securing Restful Web Services with OAuth2

1. TYPICAL AUTHORIZATION SCENARIO

1.1. TYPICAL REQUEST
1.1.1. REQUEST URI
http://localhost:8080/oauth2/authorize?response_type=code&client_id=1&scope=read_user_profile&redirect_uri=http://localhost:8080/transport/authorization/code
Client_id: Represents the id of the client application requesting authorization.
Scope: Represents the scope of permission that is required
Response_type: The client specifies that it is seeking an authorization code in return.
Redirect_uri: The URI that will be used by the authorization server to post the generated authorization code.

1.1.2. REQUEST HEADER
The request header shall look like:
Http-Method: GET
Headers: {
Accept= [text/html,application],
Authorization= [Basic YmFycnlAc29jaWFsLmNvbToxMjM0],

The Authorization Header wraps the encoding of the client id and client secret.

1.2. TYPICAL FLOW

Typical Authorization Request Sequence 2. TYPICAL ACCESS TOKEN GRANT SCENARIO
The following scenario describes the way how and access token can be retrieved, based on the Authorization Code Grant type described above. Alternative flows can take place according to the Grant Type supplied in the Access Token Request

2.1. TYPICAL REQUEST

2.1.1. REQUEST URI
http://localhost:9999/oauth2/token

2.1.2. REQUEST HEADER
Address: http://localhost:9999/oauth2/token

View original post 140 more words

OAuth made easy


avisheksharma

OAuth 2.0

The article explains you why we actually need to learn OAuth, what is this beast actually, how we implement it to our site, an example and whats the difference between OAuth 1.0 and OAuth 2.0

Hope you enjoy learning the article instead of getting bored.
I tried to explain things in more pictorial way as much i can rather than boring words and paragraphs 😉

View original post

Visualforce


SalesForce Knowledge Tips

Visualforce allows you to build sophisticated, custom user interfaces that can be hosted natively on the Force.com platform. Visualforce achieves this with the help of a tag-based language which is similar to HTML. We can use Visualforce development tools to develop a better perspective towards UI development with Visualforce, and take your expertise in UI development to the next level.

In the Visualforce markup language, each Visualforce tag corresponds to a coarse or fine-grained user interface component, such as a section of a page, a related list, or a field. The behavior of Visualforce components can either be controlled by the same logic that is used in standard Salesforce pages, or developers can associate their own logic with a controller class written in Apex.

  • In VisualForce page we can write the HTML, CSS, and JavaScript etc…
  • Each visual force is page that contains the tags/components and controllers.
  • Each tag contains attributes and attributes…

View original post 520 more words

Salesforce – Apex Language


SalesForce Knowledge Tips

Apex is a development platform for building software as a service (SaaS) applications on top of Salesforce.com’s customer relationship management (CRM) functionality. Apex allows developers to access Salesforce.com’s back-end database and client-server interfaces to create third-party SaaS applications. Apex includes an application program interface (API) that developers can use to access user data on Salesforce.com. This API allows developers to use common SaaS components, like Web widgets or a multi-tenant database, without the need to develop much of the infrastructure traditionally associated behind SaaS programs.

Apex is a strongly-typed, object-oriented programming language that lets you centralize and execute flow and transaction control statements on the Force.com platform in conjunction with application calls to Force.com ​APIs. Using syntax that looks like Java and acts like database stored procedures, Apex lets you add powerful custom business logic to most system events, including button clicks, related record updates, and…

View original post 274 more words