Unfortunately I'm not so familiar with the config of java-shindig that I could tell you where exactly you could find it, but yes the workings are quite similar.
On Tue, Jan 27, 2009 at 5:59 AM, Harry Hübner <[email protected]> wrote: > Hi Chris, > > thanks for your answer. > I have searched the config entries. They are only available in the > container.php file. I am working with the java version. Is there some > similar mechanism? > > Thanks > Harry > > > > Am 21.01.2009 um 15:05 schrieb Chris Chabot: > > > Hey Harry, >> >> The BasicSecurityToken class is actually production ready, the basic >> implies >> that you could replace it with your own implementation if you wanted too, >> but it's not required to do so to get a secure situation. >> >> That is, as long as you disable 'allow_plaintext_token' and set the >> 'token_cipher_key' and 'token_hmac_key' to hard to guess random strings >> (make sure to update these in both partuza's and shindig's configs). >> >> As long as the keys are hard to guess (random generated strings work >> better >> there then dictionary words for instance), a 'hacker' would have a very, >> very hard time guessing the correct cipher and hmac keys, especially since >> a >> brute force method would have to check every possible key combination >> against the social end point of the social site, which after a few million >> requests with invalid security tokens is bound to get noticed :) Also >> having >> to test every possible key over the internet severely limits the amount of >> keys/second (s)he could test. >> >> About the potential impact, yeah *if* a token was guessable, a remote >> party >> could access the social data on the social networking site pretending to >> be >> a real user, either through a gadget, or more likely through the REST >> interface; But again the chances of this happening are very unlikely, as >> long as you disable the plain text token, and set proper cipher and hmac >> keys. >> >> -- Chris >> >> On Wed, Jan 21, 2009 at 11:12 AM, <[email protected]> wrote: >> >> Hi, >>> >>> I have a question about securitytokens. >>> Using the class BasicSecurityToken to generate tokens is only thought to >>> be >>> used for testing purposes. >>> Digging through the partuza code, I have seen the usage of this in >>> Partuza >>> too. >>> I am wondering how a site can be vulnerable, if the generated token is >>> not >>> secure? >>> >>> My assumption: >>> Any hacker makes a request to a container he wants to affect. For this he >>> writes a gadget to read all the opensocial data via opensocial api calls. >>> To get access to the gadget container he generates the same token the >>> container site would create. So he is able to read all the opensocial >>> data >>> of the container. >>> >>> Is this right? >>> >>> Thanks >>> Harry >>> >>> >>> Jetzt komfortabel bei Arcor-Digital TV einsteigen: Mehr Happy Ends, mehr >>> Herzschmerz, mehr Fernsehen! Erleben Sie 50 digitale TV Programme und >>> optional 60 Pay TV Sender, einen elektronischen Programmführer mit Movie >>> Star Bewertungen von TV Movie. Außerdem, aktuelle Filmhits und spannende >>> Dokus in der Arcor-Videothek. Infos unter www.arcor.de/tv >>> >>> >
