Doug you probably want to murder us by this point....sorry about that :)
+1 for you verifying all this stuff.
We are working on a fix now, and I have reverted the change. We should
have an updated patch soon.
-Ryan
From: daviesd <davi...@oclc.org>
To: <dev@shindig.apache.org>,
Date: 06/14/2012 01:05 PM
Subject: Re: Pass token on listMethods to enable
allowUnauthenticated=false (issue 6306074)
Ya, I tried this with shindig trunk (and not my stuff). If you set
shindig.allowUnauthenticated=false
In shindig.properties and
"gadgets.securityTokenType" : "secure",
"gadgets.securityTokenKey" : "NotGonnaShowYouMyKey=",
In container.js
It blows up. I think this change needs to be reworked. You cannot
encrypt
an Anonymous token. You probably were just setting allowUnauthenticated
but
never really telling your container to use encrypted tokens.
The way I solved this was in AnonymousAuthenticationHandler.
public SecurityToken getSecurityTokenFromRequest(final
HttpServletRequest request) {
String uri = request.getRequestURI();
String method = request.getParameter("method");
if (allowUnauthenticated || (uri.endsWith("/rpc") && method !=
null
&& method.equals("system.listMethods"))) {
return new AnonymousSecurityToken();
}
return null;
}
Thanks,
doug
On 6/14/12 12:29 PM, "daviesd" <davi...@oclc.org> wrote:
> I'm a little bit confused on this. I'm trying it and I'm getting an
exception
> (it could be because I provide my own BlobCrypterSecurityTokenCodec and
maybe
> I have some work to do here).
>
> When DefaultServiceFetcher creates an AnonymousSecurityToken and then
calls
> encodeToken, won't that throw an exception because encodeToken doesn't
support
> AnonymousSecurityTokens?
>
> doug
>
>
> On 6/13/12 1:50 PM, "btlil...@gmail.com" <btlil...@gmail.com> wrote:
>
>> Updated patch to use Anonymous Security Token
>>
>> http://codereview.appspot.com/6306074/
>>
