[
https://issues.apache.org/jira/browse/SHINDIG-1601?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091859#comment-13091859
]
Henry Saputra commented on SHINDIG-1601:
----------------------------------------
Small comment about the issue term.
When we talk about security usually we refer to how access to resources being
managed such as with encryption, hashing algorithm, or salting.
Looking at the description this is more about admin and role for gadget to get
list of RPC services available.
Maybe consider something like "access control" or "admin" feature?
> Feature Security
> ----------------
>
> Key: SHINDIG-1601
> URL: https://issues.apache.org/jira/browse/SHINDIG-1601
> Project: Shindig
> Issue Type: New Feature
> Affects Versions: 3.0.0
> Reporter: Ryan Baxter
> Original Estimate: 672h
> Remaining Estimate: 672h
>
> We want to allow administrators of containers to secure the features gadgets
> are allowed to use. We can do this by doing two things to the container.
> 1.) When the gadget preloads a gadget and requests the iFrame URL for the
> gadget (indicating the container wants to render the gadget) we check the
> list of allowed features for that gadget in that container. In theory the
> administrator of the container would setup this list. If the gadget wants to
> use a feature that is not in the list approved by the administrator the
> preload fails.
> 2.) Secure what RPC service id a gadget can call. A gadget should only be
> able to call the RPC service ids from the features the administrator has
> approved for that gadget in that container. If the gadget tried to call and
> RPC service id that is not in a feature the administrator has approved than
> the RPC call will be "blocked".
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
