[ 
https://issues.apache.org/jira/browse/SHINDIG-1876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Erik BI updated SHINDIG-1876:
-----------------------------

    Description: 
Currently, the concat endpoint of Shindig doesn't require security token in the 
request, makes it vulnerable to potential attack. So 
1. The EH issue around closing down this endpoint led to an initial impl that 
has the ConcatUriManager add the ST to the URL of concat request. 
2. Append current gadget ST will reduce cacheability to a per user during the 
lifetime of the ST (i.e. pretty bad). So a new type of ST needs to be 
introduced.

  was:
Currently, the concat endpoint of Shindig doesn't require security token in the 
request, makes it vulnerable to potential attack.  So
1. The EH issue around closing down this endpoint led to an initial impl that 
has the rewriter add the ST to the URL the browser will activate to load the 
content. 
2. Append current gadget ST will reduce cacheability to a per user during the 
lifetime of the ST (i.e. pretty bad). So a new type of ST needs to be 
introduced. 

    
> Add security token to Concat servlet request without compromise its 
> cacheability
> --------------------------------------------------------------------------------
>
>                 Key: SHINDIG-1876
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1876
>             Project: Shindig
>          Issue Type: Bug
>            Reporter: Erik BI
>
> Currently, the concat endpoint of Shindig doesn't require security token in 
> the request, makes it vulnerable to potential attack. So 
> 1. The EH issue around closing down this endpoint led to an initial impl that 
> has the ConcatUriManager add the ST to the URL of concat request. 
> 2. Append current gadget ST will reduce cacheability to a per user during the 
> lifetime of the ST (i.e. pretty bad). So a new type of ST needs to be 
> introduced.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to