The example Java SSO code stores the keys used to sign responses in keys/ in the root of the web application. This means that they are accessible over the web to anyone. While fine for an example (the keys to which are widely distributed anyway) this would be less than ideal for a serious deployment, especially for the private key. While someone would need to know the names of the key files to retrieve them, there are some obvious things to try: DSAPrivateKey01.key, DSAPrivateKey02.key, RSAPrivateKey01.key, etc.
Would it be a better idea to modify the code to expect to find them in WEB-INF/keys/ ? Jon. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
