I have a basic xml-rpc web service service running.
What is the simplest way(I'm a newbie) to implement secure authentication?
I just need some direction.
You could checkout This code for a simple XML-RPC server over HTTPS. Authentication can work in any way you wish ... they could authenticate with some credentials and you provide a cookie for the rest of the session.
The Python docs for xmlrpc include details of using the HTTP 'Authorization' header for passing in credentials.
Here is some code that uses Twisted to implement a xmlrpc auth mechanism, which could easily use HTTPS instead of HTTP.
This guy has written a HTTPS XML-RPC setup with authorization which you can download.
There are tons of resources, and ways of doing this which are easily googleable. This all depends on if you are using mod_wsgi for example, or writing a standalone server using Twisted.
Bottom line:
a) Use SSL for communication
b) Use the HTTP authorization mechanism
Related
I have django backend with JWT authentication and want to work on client side using aiohttp. I didn't found any ready-made implementations. All I found is aiohttp-jwt, which used on server side. For example, for requests there is requests-jwt, which is intended to use on client side. Should I write own workaround?
I am creating a REST API. Basic idea is to send data to a server and the server gives me some other corresponding data in return. I want to implement this with SSL. I need to have an encrypted connection between client and server. Which is the best REST framework in python to achieve this?
You can choose any framework to develop your API, if you want SSL on your API endpoints you need to setup SSL with the Web server that is hosting your application
You can obtain a free SSL cert using Let's encrypt. You will however need a domain in order to be able to get a valid SSL certificate.
SSL connection between client and server does not depend on the framework you choose. Web Servers like Apache HTTPD and Nginx act as the public facing reverse proxy to your python web application. Configuring SSL with your webserver will give you encrypted communication between client and server
On assumption that you are talking about communication between REST Apis and some other stack like flask(A different server).
Rest apis can be used to communicate data with any type of platform as long as they agree on a common protocol to share data.
Data can be shared using xml, yaml or json. Your rest apis can be on any stack you like.
Architecture will be something like:-
Your main site(microservice or monolithic) <=> REST Apis(microservices)
You can use djangorestframework or any other you prefer.
I have a python microservice which I would love to connect to AWS API Gateway. - The problem is that I have researched ways to make both secure, but not really came to a conclusion.
I came across a site saying I should use SSL Certifications to only enable requests from API Gateway.
Can someone enlighten me on what's the best practice for authentication between the client and API Gateway and the API itself?
There are a very large number of ways to authenticate between the client and API Gateway. There is no "best" way.
To authenticate between API gateway and the back-end servers, you would use SSL authentication as described here: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
There are couple of approaches to implement authentication in API gateway. Different approach serves different purposes and level of security you expects to achieve.
For most of the cases you can write your custom authorizer lambda for authentication. With help of JWT you can create a reasonably secure Authentication for your API. If you use IAM authentication API Gateway directly supports it. Only limitation is you need to use AWS SDK to invoke the API for convenience. Since API gateway uses SSL by default, data transfer is already encrypted.
If you have very specific security requirements then you can use SSL certificates. This is generally preferred when communicating between API's in Service Orchestration like scenarios in SOA.
You ask what the "best practice" is, and, since we are in Amazon's AWS ecosystem, that's surely to use AWS Cognito.
If you go this route, you will have vendor lockin for your authentication flow, but it works very well as they are built to play nicely together. Logins occur via calls to AWS Cognito endpoints: successful ones will receive session tokens which can then be used in future for any API Gateway calls.
To enable, just click into any API Gateway Method, click into Method Request, edit Authorization, and you will see your AWS Cognito User Pools you have created.
This takes a bit of configuration, but it works very well.
I need to implement a web service that will receive a callback.
In my web application I will need to implement something like this:
http://mywebsite.com/callback?key=[an_anti_phishing_key]&otherparam1=[something1]&otherparam2=[something2]
A detailed explanation. There will be a 3rd party service that will request this URL with this parameters. And this service need that I implement an "anti phishing key" so that they can communicate securely with mywebsite.com
My doubt here is how to implement this anti phishing key in a secure manner.
Any ideas of possible implementations?
If you do a GET request as a client to the server over HTTP, it is susceptible to a Man-in-the-middle attack. What you can do is to allow only POST requests over HTTPS. That would be more secure than the former.
I'm considering moving from Apache to Lighttpd for an internal web application, written with python. The problem is that I'm relying on libapache2-mod-auth-ntlm-winbind ... which doesn't actually seem to be a well support & updated package (though that could be because it really does work well).
I'm looking for suggestions and hints about what it would take to use django itself to handle the HTTP authentication. This would allow me to be web-server-agnostic, and could potentially be a grand learning experience.
Some topical concerns:
Is it reasonable to have the custom application perform true HTTP authentication?
How involved is getting my python code connected to windows domain controller to this kind of authentication without prompting the user for a password?
Does NTLM provide any access to user details & group memberships so that I can stop searching through yet another connection to the windows domain controller via LDAP?
I would love to be able to write a module to simplify this technique which could be shared with the community.
Partial answer:
You can (and should) pass the NTLM auth off to an external helper. Basically, install Samba on the machine, configure it, join the domain, enable winbind, then use the "ntlm_auth" helper binary, probably in "pipe" mode.
Authenticating an NTLM session requires a secure pipe to the domain controller, which needs credentials (e.g. a Samba/domain-member machine account). This is the quickest route to get there.
Squid (the webcache) has code for doing NTLM auth using the external helper; FreeRadius does something similar.
The NTLM auth itself does not provide any group info; if you're running winbind you could of course use calls to "wbinfo" to get user groups.