Hi everyone,
Having fun here working with services and amfphp in order to serve content to both flash and non-flash parts of an upcoming site. Glad to be part of the group to see if I can get help or add help!
I have a conceptual issue with authenticating against the service modules using the system.connect and user.login methods. Unfortunately many of the tutorials explicitly turn off authentication keys at the beginning, so there are not as many examples of this approach.
Assume I have installed all the necessary modules and enabled them. By default, none of the services are available for any roles. This means I cannot access the system.connect method or the user.login method as an anonymous user (or as an authenticated user even). If I am not logged in via the web ui, then, I can never log in. If I AM logged in via the web ui, then I can (theoretically) use the services. If I give anonymous users (and authenticated users) the ability to view services, then I never need to log in, and I have also exposed all services to all users.
Even if I get around this by making people authenticate before they use flash, and change permissions so that only authenticated users can access services, I am still exposing a lot of other services to users, which could theoretically get hacked by someone malicious.
Would I be mistaken in saying that the services module needs much more granular access permission sets? Or am I doing something wrong? I'm not sure right now.
Thanks for listening. I'd appreciate any advice or corrections.
Comments
OpenID
The OAuth module seems promising:
http://drupal.org/project/oauth
Not available for 5 though.
Just talking to myself
Sounds like quite a discussion has already occurred here about security and its purpose:
http://drupal.org/node/222268
Perhaps I am not setting things up correctly. I'd love to see or make a tutorial on this item, but I still can't seem to get things to work properly. The link in this discussion looks promising, but I can't access it:
http://groups.drupal.org/node/13825
And to close things off...
For cheap security differentiating read-only operations versus admin-type operations, configure your service access so that anonymous and authenticated users have access to services, but not to administer them (at admin/user/access). Then create a key for your services (at admin/build/services/keys/add) with no domain or name, and make sure to uncheck the box for "require session ids." This will change the method calls so that methods like node.load only require a node id to fetch, but methods like user.login require the api key and full hashing as descibed at http://drupal.org/node/308629 (although I never got that sample entirely working).
Thanks for the info, gonna
Thanks for the info, gonna try myself cuz I'm in the same boat. Hopefully someone can shed some light on this.