On Fri, Jan 16, 2009 at 02:25:31PM -0800, Jordan Zimmerman wrote: > >> Does Shindig do appId validation for the various service APIs > >> (AppDataService, etc.) or do I need to do it? I'm concerned about > >> security and App A accessing/overwriting App B's data. > > > >You need to do it yourself. From shindig's point of view, appId is > >just an opaque string. > > How are others handling this? I don't know how the appId is generated > but it seems that there's nothing stopping App A from > accessing/overwriting App B's data.
The appId is provided by the container in the security token for each gadget. shindig takes the value from the token, so the gadget cannot spoof it. In the REST api there are places where a caller can supply an arbitrary appId. Nevertheless, an authenticated appId is provided in the token. It is a matter of your own site's policy whether to accept or not the caller provided appId when it differs from the one in the token (Your container could, for example, allow access to all the data that belong to gadgets by the same author, or that belong to a user-approved group of cooperating gadgets, or any number of other scenarios I have not tought of).
