https://connect.hyland.com/t5/nuxeo-forum/avoiding-administrator-virtual-user-account/m-p/325025#M12026 <P>Currently we do use this Administrator account for REST calls and the username/password is in configuration files for REST Calls. For security purpose we would like to avoid having password in config files. Is there any better ways for REST Calls to be authenticated ? We prefer using Administrator username for REST Calls but would like to avoid password being hard coded for rest calls. Let us know for suggestions.</P> Wed, 12 Sep 2012 21:03:21 GMT smalis_ 2012-09-12T21:03:21Z https://connect.hyland.com/t5/nuxeo-forum/avoiding-administrator-virtual-user-account/m-p/325025#M12026 <P>Currently we do use this Administrator account for REST calls and the username/password is in configuration files for REST Calls. For security purpose we would like to avoid having password in config files. Is there any better ways for REST Calls to be authenticated ? We prefer using Administrator username for REST Calls but would like to avoid password being hard coded for rest calls. Let us know for suggestions.</P> Wed, 12 Sep 2012 21:03:21 GMT https://connect.hyland.com/t5/nuxeo-forum/avoiding-administrator-virtual-user-account/m-p/325025#M12026 smalis_ 2012-09-12T21:03:21Z https://connect.hyland.com/t5/nuxeo-forum/avoiding-administrator-virtual-user-account/m-p/325026#M12027 <P>Hi,</P> <P>Nuxeo supports several authentication solutions. Choosing the right one depends on what you want to do.</P> <P><STRONG>Client side certificate</STRONG></P> <P>You can use client side certificate, use an Apache reverse proxy to do the certficate validation and use Nuxeo mod_sso plugin on the Nuxeo side to handle the login.</P> <P><A href="http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups" target="test_blank">http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups</A></P> <P><STRONG>Server 2 server authentication</STRONG></P> <P>You can use the portal_sso authentication plugin that allows to define a secret key between the 2 servers.</P> <P><A href="http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups" target="test_blank">http://doc.nuxeo.com/display/ADMINDOC56/Authentication%2C+users+and+groups</A></P> <P>NB : support is already included in the java AutomationClient</P> <P><STRONG>Use OAuth 1.0</STRONG></P> <P>Nuxeo can be an OAuth service provider, so if you client app can use OAUth this may be an option.</P> <P><A href="http://doc.nuxeo.com/display/ADMINDOC56/Using+OAuth" target="test_blank">http://doc.nuxeo.com/display/ADMINDOC56/Using+OAuth</A></P> <P>Tiry</P> Thu, 13 Sep 2012 09:22:29 GMT https://connect.hyland.com/t5/nuxeo-forum/avoiding-administrator-virtual-user-account/m-p/325026#M12027 Thierry_Delprat 2012-09-13T09:22:29Z https://connect.hyland.com/t5/nuxeo-forum/avoiding-administrator-virtual-user-account/m-p/325027#M12028 <P>So can we use te portal_sso authentication though there is no SSO sever at this time and just for the purpose of application making REST Calls using HttpAutomationClient ? Do we still need virtual user Administrator here or does it use a different user account ? If Administrator virtual user is still used in the portal_sso , can we remove password from the config file where the Administrator virtual user is created ? Also if we use portal_sso auth with shared key, do we still store the shared key in config file ? Does it mean someone can login to Admin console using the shared key from config file ? Is it encrypted ? Please give us details to address the security concern here ?</P> Thu, 13 Sep 2012 14:53:33 GMT https://connect.hyland.com/t5/nuxeo-forum/avoiding-administrator-virtual-user-account/m-p/325027#M12028 smalis_ 2012-09-13T14:53:33Z