[
https://issues.apache.org/jira/browse/SHINDIG-1601?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ryan Baxter updated SHINDIG-1601:
---------------------------------
Description:
We want to add some administration features to Shindig. This patch
adds/changes 3 things in Shindig.
1. Remove the existing blacklist functionality in Shindig which currently is
enabled by pointing Shindig to a text file with a list of gadgets to blacklist.
The new functionality uses a whitelist instead of a blacklist and is indexed
on a per container basis. Meaning an admin could whitelist some gadgets in one
container but not another. This functionality is enabled through a Guice
module allowing implementors to use something else besides a text file.
2. Add the ability for administrators to specify which features are allowed
and denied for a specific gadget in a specific container. This information is
checked in two places, when the metadata request is made and when the gadget is
rendered.
3. Add the ability for containers to secure RPC requests made by gadgets. The
RPC code now has the ability to arbitrate all RPC calls made. Containers can
specify their own arbitrator. The common container has its own default
arbitrator available.
was:
We want to allow administrators of containers to secure the features gadgets
are allowed to use. We can do this by doing two things to the container.
1.) When the gadget preloads a gadget and requests the iFrame URL for the
gadget (indicating the container wants to render the gadget) we check the list
of allowed features for that gadget in that container. In theory the
administrator of the container would setup this list. If the gadget wants to
use a feature that is not in the list approved by the administrator the preload
fails.
2.) Secure what RPC service id a gadget can call. A gadget should only be
able to call the RPC service ids from the features the administrator has
approved for that gadget in that container. If the gadget tried to call and
RPC service id that is not in a feature the administrator has approved than the
RPC call will be "blocked".
> Enhance Gadget Administration
> -----------------------------
>
> Key: SHINDIG-1601
> URL: https://issues.apache.org/jira/browse/SHINDIG-1601
> Project: Shindig
> Issue Type: New Feature
> Affects Versions: 3.0.0
> Reporter: Ryan Baxter
> Original Estimate: 672h
> Remaining Estimate: 672h
>
> We want to add some administration features to Shindig. This patch
> adds/changes 3 things in Shindig.
> 1. Remove the existing blacklist functionality in Shindig which currently is
> enabled by pointing Shindig to a text file with a list of gadgets to
> blacklist. The new functionality uses a whitelist instead of a blacklist and
> is indexed on a per container basis. Meaning an admin could whitelist some
> gadgets in one container but not another. This functionality is enabled
> through a Guice module allowing implementors to use something else besides a
> text file.
> 2. Add the ability for administrators to specify which features are allowed
> and denied for a specific gadget in a specific container. This information
> is checked in two places, when the metadata request is made and when the
> gadget is rendered.
> 3. Add the ability for containers to secure RPC requests made by gadgets.
> The RPC code now has the ability to arbitrate all RPC calls made. Containers
> can specify their own arbitrator. The common container has its own default
> arbitrator available.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
