[
https://issues.apache.org/jira/browse/SHINDIG-883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666282#action_12666282
]
Kevin Brown commented on SHINDIG-883:
-------------------------------------
HttpGadgetContext is an implementation of an interface designed to be adapted
for containers choosing to use the gadget rendering servlet. You can always use
Renderer in your own servlet with your own context. There's no requirement to
use the default GadgetRenderingServlet.
> The SecurityToken class has a getAppUrl() method. HttpGadgetContext should
> use it
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-883
> URL: https://issues.apache.org/jira/browse/SHINDIG-883
> Project: Shindig
> Issue Type: Improvement
> Components: Gadget Rendering Server (Java)
> Affects Versions: trunk
> Reporter: Jordan Zimmerman
> Fix For: trunk
>
>
> Currently, HttpGadgetContext requires a parameter in the url named "url" to
> load the OS app. Seeing as SecurityToken has a getAppUrl() method,
> HttpGadgetContext should first check that. This would be far more secure.
> With this, I would be able to load the OS app based totally on a proprietary
> ID model. This would eliminate exposing implementation details to would-be
> hackers.
> I suggest HttpGadgetContext .getUrl() be changed to something like this:
> public URI getUrl() {
> if ( getToken().getAppUrl() != null ) {
> return getToken().getAppUrl();
> }
> if (url == null) {
> return super.getUrl();
> }
> return url;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
