The SecurityToken class has a getAppUrl() method. HttpGadgetContext should use
it
---------------------------------------------------------------------------------
Key: SHINDIG-883
URL: https://issues.apache.org/jira/browse/SHINDIG-883
Project: Shindig
Issue Type: Improvement
Components: Gadget Rendering Server (Java)
Affects Versions: trunk
Reporter: Jordan Zimmerman
Fix For: trunk
Currently, HttpGadgetContext requires a parameter in the url named "url" to
load the OS app. Seeing as SecurityToken has a getAppUrl() method,
HttpGadgetContext should first check that. This would be far more secure. With
this, I would be able to load the OS app based totally on a proprietary ID
model. This would eliminate exposing implementation details to would-be hackers.
I suggest HttpGadgetContext .getUrl() be changed to something like this:
public URI getUrl() {
if ( getToken().getAppUrl() != null ) {
return getToken().getAppUrl();
}
if (url == null) {
return super.getUrl();
}
return url;
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
