Ok, wow... great response x3... next question. On Mon, 2008-04-14 at 14:47 -0700, Brian Eaton wrote:
> You can't trust javascript to specify the app id, it has to come from > the gadget server (and be signed with the gadget server's private key) > in order to be trusted. In this statement... is "gadget server" really "gadget container" as I would imagine that the gadget "server" might be some remote site providing the "application's" blob... where the "gadget container" is the one providing the runtime environment. I'd imagine that the "container" is the one responsible for providing the signed token... not the gadget "server"? Can we have a sample of a signed token render, even if it's not fully implemented in code... even just in a README??? Or is this still premature? Raymond Augé Software Engineer Liferay, Inc. Enterprise. Open Source. For Life.
