[
https://issues.apache.org/jira/browse/SHINDIG-883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666266#action_12666266
]
Jordan Zimmerman commented on SHINDIG-883:
------------------------------------------
Another option is to make HttpGadgetContext an interface and allow it to be
injected.
> The SecurityToken class has a getAppUrl() method. HttpGadgetContext should
> use it
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-883
> URL: https://issues.apache.org/jira/browse/SHINDIG-883
> Project: Shindig
> Issue Type: Improvement
> Components: Gadget Rendering Server (Java)
> Affects Versions: trunk
> Reporter: Jordan Zimmerman
> Fix For: trunk
>
>
> Currently, HttpGadgetContext requires a parameter in the url named "url" to
> load the OS app. Seeing as SecurityToken has a getAppUrl() method,
> HttpGadgetContext should first check that. This would be far more secure.
> With this, I would be able to load the OS app based totally on a proprietary
> ID model. This would eliminate exposing implementation details to would-be
> hackers.
> I suggest HttpGadgetContext .getUrl() be changed to something like this:
> public URI getUrl() {
> if ( getToken().getAppUrl() != null ) {
> return getToken().getAppUrl();
> }
> if (url == null) {
> return super.getUrl();
> }
> return url;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
