The domain does not matter here, look I my server has a sso project, that handles all projects in the server, pretty normal stuff here, when i call any url for the first time, my server see that i'm not authenticated, so execute the login action, after that all browser request goes with a cookie (sso cookie), that is also pretty normal, if I try to access my xml spec over a secured url using the browser i can see the file, because the browser is authenticated and send the cookie, everything is fine here.
When I ask to shindig render a gadget to me, it does a request, at this moment it's not a user request (browser request). shindig does another request, and do not pass the original user request object (servletRequest), so my server does not allow shindig to access the resource (xml). So I'm trying to figure out a way to do that, but for what i see, i have to rewrite all "call chain" pf the request, from the Servlet to the HttpFetcher to allow pass original request through. Why shindig assume that all server is public? Imagine that igoogle do not let you to see and get the gadgets spec, unless your logged with your account and pass some cookie to it, how you are going to do that? Thanks. On Fri, Jan 14, 2011 at 9:20 PM, Henry Saputra <[email protected]>wrote: > Hmmm are you saying that Shindig is put in different domain/ url so > the request come from client will go to different URL without cookie? > > - Henry > > On Wed, Jan 5, 2011 at 10:09 AM, Xandeco, Maxwell > <[email protected]> wrote: > > > > Hi guys, > > > > We have to use a SSO secured server, that means all apps in the container > will be covered by the SSO system, even the gadgets spec XML. > > > > My server uses a user cookie sent by browser to authorize the access, > it's a simple SSO system, the add/render gadget flow it's basically: > > > > Browser --> RpcServlet --> JSONRpcHandler --> Processor --> > GadgetSpecFactory --> RequestPipeline --> HttpFetcher > > > > Shindig does a new request, with any association with the original client > request (that has all cookies necessary to pass over security handlers), > it's just like try access a url without login, so i got a 401 error, it's > pretty easy to replace implementations on shindig using google-guice, but > the only way i see here, is rewritten all classes involved in the process, > because after JSONRpcHandler the original request it's not passed through. > > > > How do you guys normally handle that, you always put spec in public urls? > > > > Cheers. > > > > > > -- > Thanks, > Henry >
