I have incorporated the shindig container for our web application. I have enabled secure mode of security token generation by enabling the required parameters in shindig's container.js. The following are the ones I modified.
"gadgets.securityTokenType" : "secure", "gadgets.securityTokenKeyFile" : <path to the generated key file /tmp/ mytestkey.pem for example> I generated an RSA private key and have given its path for "gadgets.securityTokenKeyFile" parameter. The same private key is what am using to generate the security token for my gadget in the client code. I read the spec which says the private key used to generate the security token must be same as the private key used on the container mentioned in the container.js. Basically the security token generated on the client side is validated on the container. For the validation to be successful, the private key used must be same. There are other fundamentals for security token generation which am not discussion here. My concern is what if I use a random private key to generate the security token on the client side. Should the validation pass and the gadget be rendered ? I was expecting a big NO. But using a different private key for client side security token generation did work amazingly fine. So with this should I infer that knowing the gadget url/id, container name, viewer id and owner id, one can generate a security token using the client code with any RSA private key and have it passed to the iframe URL to render the gadget ? Or is there anything am missing or have I misunderstood something here. Please clarify. -- You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en.
