[
https://issues.apache.org/jira/browse/SHINDIG-444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brian Eaton updated SHINDIG-444:
--------------------------------
Attachment: authncache.patch
There's some careful use of JSON to generate cache keys in here.
I'll add OAuth caching once this patch is ACKed and committed.
> HttpCache is insecure for authenticated content
> -----------------------------------------------
>
> Key: SHINDIG-444
> URL: https://issues.apache.org/jira/browse/SHINDIG-444
> Project: Shindig
> Issue Type: Bug
> Reporter: Brian Eaton
> Attachments: authncache.patch
>
>
> Background:
> http://mail-archives.apache.org/mod_mbox/incubator-shindig-dev/200805.mbox/[EMAIL
> PROTECTED]
> Fixing this requires changing the HttpCache and AbstractHttpCache interfaces.
> I'd like to change them so that the keys are strings, and the values are
> HttpResponses.
> Users of the HttpCache interface will figure out cache keys by building up
> complex strings (maybe JSON?) describing the resource. For example, a signed
> fetch might look like this:
> { url: 'http://www.example.com', signed: true, owner: 'brian', viewer:
> null }
> An unsigned GET might look like this:
> { url: 'http://www.example.com' }
> Whatever string format is used would need to serialize consistently to avoid
> spurious cache misses. for example, something that randomly switches between
> { url: foo, data: bar } and { data: bar, url: foo } would be a problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
