HttpCache is insecure for authenticated content
-----------------------------------------------
Key: SHINDIG-444
URL: https://issues.apache.org/jira/browse/SHINDIG-444
Project: Shindig
Issue Type: Bug
Reporter: Brian Eaton
Background:
http://mail-archives.apache.org/mod_mbox/incubator-shindig-dev/200805.mbox/[EMAIL
PROTECTED]
Fixing this requires changing the HttpCache and AbstractHttpCache interfaces.
I'd like to change them so that the keys are strings, and the values are
HttpResponses.
Users of the HttpCache interface will figure out cache keys by building up
complex strings (maybe JSON?) describing the resource. For example, a signed
fetch might look like this:
{ url: 'http://www.example.com', signed: true, owner: 'brian', viewer: null
}
An unsigned GET might look like this:
{ url: 'http://www.example.com' }
Whatever string format is used would need to serialize consistently to avoid
spurious cache misses. for example, something that randomly switches between {
url: foo, data: bar } and { data: bar, url: foo } would be a problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
