Ok, i begin to understand what OAuth is used for.... and i think it's
not really what i need....
Let's reexplain :
I have a portal that can hold shindig gadgets (not social, for
instance an RSS reader). The portal itself serves RSS feed that are
protected resources.
When i want to present a RSS gadget that use a reentrant RSS feed, how
can shindig proxy bind the portal credentials throw a makeRequest call ?
Let's see an example :
http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that
only me can see
http://myportal/site/mydashboard is a collection of RSS Feeds gadgets
and one of this gadget points to the precedent feed.
In this case, the portal (the container) renders an iframe with the
RSS gadget that calls gadgets.io.makeRequest method that binds to the
makeRequest servlet of shindig.
But how can the shindig servlet authentify itself as the same user of
the portal (me) ?
Thx for the explanations
Le 2 oct. 08 à 11:59, Ian Boston a écrit :
My understanding of CAS is that is that its a WebISO type
Authentication System between browser and server, uses browser
redirects to a central CAS server for authenticating the user and
then redirects back to the target application. I cant remember if
there is a server to server credential exchange or if all credential
exchange is via the browser (like WebAuth).
OAuth is a server to server authorization mechanism that allows a
User the ability to grant a server to talk to another server and
perform specific operations. eg MySpace can display your Flickr
album once you have told Flickr that its Ok, and transported the
OAuth token back from Flickr to MySpace so that the MySpace servers
can contact the Flickr web service directly.
So Shindig + CAS.
Shingid itself doesn't authenticate the User, as its only re
reference implementation of the standard and not a full blown Social
Network Application. To make Shindig embedded into an application
you would put a CAS filter (either at mod_cas, or as a Servlet
Filter) over the URLs that need protecting, probably just the social-
api urls.
Then in your implementation of the Service Provider Interfaces you
would bind to the CAS credentials and use that to ensure that the
service requests from the social API are bound to the logged in user
attached to the request thread.
Does that make sense, if not say and I can point you to the code
that you need to implement.
Ian
On 2 Oct 2008, at 09:45, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]
> wrote:
Hello,
I'm developping a portal on top of an Open source ECM solution. This
portal embeds shindig to serve opensocial gadgets.
The portal is CAS compliant. Our problem is that when a gadget (for
instance an RSS Reader) wants to access RSS Feed on this portal,
shindig doesn't have the credentials to make the proxied request.
I'm trying to explore the authentication mechanism of shindig, but if
someone has any advice for me (where to begin ? OAuth explanation
etc...) it would be great !
--
Damien METZLER
Ce message et toutes les pièces jointes sont établis à l'attention
exclusive de leurs destinataires et sont confidentiels. Si vous
recevez ce message par erreur, merci de le détruire et d'en avertir
immédiatement l'expéditeur. L'internet ne permettant pas d'assurer
l'intégrité de ce message, le contenu de ce message ne représente
en aucun cas un engagement de la part de Leroy Merlin.
--
Damien METZLER
SIF - Leroy Merlin France - Tel : 03 28 80 89 03
