On Thu, May 13, 2010 at 1:23 PM, Paul Lindner <[email protected]> wrote: > We could certainly move the validation of tokens into the Codec (I guess > we'll then have to rename that class SecurityTokenCodecValidator as well...) > I added the isExpired() method so that a request for an expired token could > get downgraded to an anonymous level of access during the chain of > AuthenticationHandlers. I'm open to other architectures. > Long term I'd like to see all token management routines end up in an OAuth > library, like the newly incubating Amber project. > Also long term I'd like to introduce capability based security into security > tokens. When you start having three or four cooperating parties (container, > graph/data provider, viewer, owner, gadget vendor) you end up with a lot of > confused deputies..
Yep. This is what we are doing in practice, and it's mostly opaque to Shindig.
