[jira] Commented: (SHINDIG-109) support signed fetch in Shindig

Fri, 14 Mar 2008 02:01:04 -0700 

    [ 
https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578655#action_12578655
 ] 

Kevin Brown commented on SHINDIG-109:
-------------------------------------

Ok, now that this is in I can comment on it a little more easily.

Since signed fetch and full oauth should be implemented in the same way across 
containers, I think it makes more sense to just have a single OAuth wrapper 
that can handle both of these cases, with the GadgetToken being responsible for 
managing inputs (and, as today, passed to the gadget server in the st param). 
Either that or a separate RequestSigner and RequestAuthorizer. I'm not really 
sure how full oauth is supposed to be implemented with the current 
RequestSigner interface.

We can then clearly separate input security (mix of shindig custom and user 
proprietary techniques) and output security (OAuth).

GadgetSigner becomes GadgetTokenFactory. Input is a String, the "st" parameter, 
as today.

RequestSigner signs requests using OAuth. Inputs are the GadgetToken, 
RemoteContentRequest, and an implementation of an OAuthSignatureMethod used to 
sign the outgoing request (to allow for implementations with more robust key 
management).

RequestAuthorizer authorizes requests using OAuth. Inputs are a bit more 
complex here since we'd have to have an interface for accessing the per-user 
data. I'm not that familiar with how full OAuth is supposed to work, so I might 
be missing some things here.

> support signed fetch in Shindig
> -------------------------------
>
>                 Key: SHINDIG-109
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-109
>             Project: Shindig
>          Issue Type: New Feature
>          Components: Gadgets Server - Java
>            Reporter: Brian Eaton
>         Attachments: CreateSignedFetchRequestHandler.java, oauth.patch, 
> signedfetch.patch
>
>
> We should add signed fetch support to Shindig.  We have open source code to 
> do the work, but it needs integration.  I'll attach what we've got to this 
> bug.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to