Ask Question
« General Questions on Nuxeo

Avoiding Administrator virtual user account

Currently we do use this Administrator account for REST calls and the username/password is in configuration files for REST Calls. For security purpose we would like to avoid having password in config files. Is there any better ways for REST Calls to be authenticated ? We prefer using Administrator username for REST Calls but would like to avoid password being hard coded for rest calls. Let us know for suggestions.

smalis
Member (162)   1   1   3 		09/12/2012 ( History)
0 votes
1 answers
2107 views
ANSWER
ANSWERS

Hi,

Nuxeo supports several authentication solutions. Choosing the right one depends on what you want to do.

Client side certificate

You can use client side certificate, use an Apache reverse proxy to do the certficate validation and use Nuxeo mod_sso plugin on the Nuxeo side to handle the login.

http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups

Server 2 server authentication

You can use the portal_sso authentication plugin that allows to define a secret key between the 2 servers.

http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups

NB : support is already included in the java AutomationClient

Use OAuth 1.0

Nuxeo can be an OAuth service provider, so if you client app can use OAUth this may be an option.

http://doc.nuxeo.com/display/ADMINDOC56/Using+OAuth

Tiry

Thierry Delprat
Member (1.4K)   1   3   4 		09/13/2012 ( History)
0 votes
smalis
So can we use te portal_sso authentication though there is no SSO sever at this time and just for the purpose of application making REST Calls using HttpAutomationClient ? Do we still need virtual user Administrator here or does it use a different user account ? If Administrator virtual user is still used in the portal_sso , can we remove password from the config file where the Administrator virtual user is created ? Also if we use portal_sso auth with shared key, do we still store the shared key in config file ? Does it mean someone can login to Admin console using the shared key from config file ? Is it encrypted ? Please give us details to address the security concern here ?
09/13/2012
Follow
Tags
Linked Questions
Related Questions
python client: newly created workspace not showing in Admin UI
Notification with Gmail SMTP
Nuxeo java client
Locations of all the embedded passwords in Nuxeo
Get all accesssible document of a user while being authenticated as Administrator PYTHON API
Would LDAP groups show up empty in Nuxeo's Users and Group section?
REST API : access to encrypted (or not) user passwords
Default Admin username and password not working
Encrypt Nuxeo password in database