[jira] [Commented] (SHINDIG-1716) Add/Improve documentation around security tokens

[Michael Ahern (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SHINDIG-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13219960#comment-13219960
 ] 

Michael Ahern commented on SHINDIG-1716:
----------------------------------------

Given how sensitive the ST is it would also be helpful to document some sort of 
security review explanation as well.  So often people ask, how does it compare 
to SSO mechanism X.  For example: X expires after a certain amount of time so 
even if it is hijacked.  This problem has been solved by the ST too, but when 
questioned I find myself having to recreate the list of attach / defences 
implemented by the token rather than just point to the doc. I think this form 
of "security review" information will be extremely important to help adopting 
teams skip duplicated effort in becoming ST security experts as well as to 
educate our respective security review groups.
                
> Add/Improve documentation around security tokens
> ------------------------------------------------
>
>                 Key: SHINDIG-1716
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1716
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Website
>    Affects Versions: 2.5.0
>            Reporter: Stanton Sievers
>            Assignee: Stanton Sievers
>              Labels: documentation, security
>             Fix For: 2.5.0
>
>   Original Estimate: 72h
>  Remaining Estimate: 72h
>
> Currently there is little to no documentation on the structure and use of 
> security tokens in Shindig.  A lot of questions come through on the dev list 
> about security tokens and the information they contain and we have no common 
> set of resources to point people to.  I'd like to create documentation to 
> cover the following topics and add it to the wiki:
> - The role of security tokens, both container and gadget
> - What information should be in a security token
> - How and when that information is used
> - How to secure security tokens via encryption
> - How security tokens get refreshed, both container and gadget
> - Gotchas that could leave your app insecure (e.g. how tokens can be 
> compromised and what the impact could be)
> If there's any other information that should be included, feel free to leave 
> a suggestion.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira