Securing apigee baas


I've recently been looking at using apigee's baas, as an alternative to something like parse, for a mobile application. Now Parse obviously allows you to create ACLs etc. to define who can read/write to particular objects. I know baas has the concept of roles but there's a few issues I'm struggling with. I understand the concept of using access tokens to do this via edge. I'm just not sure how I actually set the roles/ACL on each object and any relations.

1) I know I can use Edge to create api endpoints and then use these proxies to hit my baas and I can secure these proxies with access tokens, but how can I protect someone just finding out my baas url and calling /users for example to expose the user collection and everyone's email?

2) I did notice in the docs that when you set permissions you can use the special ${user} placeholder to represent only allowing access to the current user. However when I try and add PUT permission on /users/${user} via the web interface it complains about invalid characters. Can you only set this via an api call? How would you go about securing resources to specific users? So if every user had a 'todo list' how could I ensure users can only access there own items? Would I need to set-up relations? How would you go about this?

** Edit ** I've managed to get most of this working by creating a proxy on edge to my BAAS endpoint. When a user is created, the proxy then makes a service callout during the response, using the newly returned uuid and an organization access_token to update the permissions so that the newly created user can edit themselves. However this still seems like a rather convoluted process to me and I feel like it should be easier. My main concern is that if users are taking these actions on a mobile device then, according to the docs, I should only use a users access token. However a user access token won't let me update permissions for a user! I feel like I'm stuck in a bit of a catch 22 situation. To make my app more secure I need to use credentials that will make it overall less secure!



One thing to consider is using the Apigee a127 product. You could put all of the logic that requires more extensive credentials into a Node.js app running anywhere - even hosted within Apigee. This would allow you to do any housekeeping you need to do on the server instead of on the device. You can read more about Apigee a127 at <a href="http://apigee.com/docs/api-services/content/apigee-127" rel="nofollow">http://apigee.com/docs/api-services/content/apigee-127</a>


  • When does Spring creates proxies in the bean's lifecycle?
  • Meteor: Error during WebSocket handshake: Unexpected response code: 400
  • WCF Proxy Pooling - Is it worth it?
  • How to resize a pixmap with XLib?
  • Cast uint -> double invalid?
  • TelephonyManager crashing on android studio
  • What to use (best/good practice) for the secret key in HMAC solution?
  • IIS7 Application Request Routing HTTPS
  • SQL Server Integrated Security from an Azure Web Site
  • WCF service runs in Debug mode but not in Release
  • Base Internationalization and “Could not find a storyboard named […]”
  • UITableView takes much longer to load when numberOfRows returns a large number
  • NRefactory: How do I access unresolved Named Arguments on a Property Attribute?
  • How do you keep a running instance for Google App Engine
  • MVC - @Html.CheckBoxFor
  • WordPress > setting permalink option via script buggy?
  • Where these are stored?
  • abstracting over a collection
  • How can I tell a form not to dispose a particular control when it closes?
  • Zurb Foundation _global.scss meta styles for js?
  • How do I access an unhandled exception in an MVC Error view?
  • How to run “Deployd” on port 80 instead of port 5000 in webserver.
  • Email verification using google app script and google forms
  • Debugging ASP.NET on a built-in web server suddenly stops
  • Email format validation in mvc3 view
  • How to make a tree having multiple type of nodes and each node can have multiple child nodes in java
  • How to recover from a Spring Social ExpiredAuthorizationException
  • Cassandra Data Model
  • sending/ receiving email in Java
  • Javascript + PHP Encryption with pidCrypt
  • QuartzCore.framework for Mono Develop
  • Apache 2.4 - remove | delete | uninstall
  • RestKit - RKRequestDelegate does not exist
  • retrieve vertices with no linked edge in arangodb
  • Codeigniter doesn't let me update entry, because some fields must be unique
  • Authorize attributes not working in MVC 4
  • Busy indicator not showing up in wpf window [duplicate]
  • How to get NHibernate ISession to cache entity not retrieved by primary key
  • Python/Django TangoWithDjango Models and Databases
  • Net Present Value in Excel for Grouped Recurring CF