[
https://issues.apache.org/jira/browse/SHINDIG-897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12670222#action_12670222
]
Jacky Wang commented on SHINDIG-897:
------------------------------------
Thanks Chris and Paul for your comments. :)
Totally agree with Chris's idea: the container might have a lot of things to
check according to their internal policy. We'd like to offer an architecture
thus easily replacement/modification of the building block could fulfill their
requirement.
My possible solution is most likely the same as Chris's: the
OAuthAuthenticationHandler part only validates that "this request is a valid
OAuth request, either 2-legged or 3-legged", but it won't do ANY internal
policy based ACL check on this request. All the ACL check will be delegated to
3 underlying SPI.
On the other hand, since the resources (profile/friendlist, etc.) is granted
explicitly by user in the 3-legged OAuth process, such internal policy based
ACL check needs to be short-circuited. The desired logic is listed as
following:
// <<< pseudo-code starts here.
result = preparing_return_values(...)
if token.type is 3-legged-OAuthToken:
// by-pass the internal ACL check and return
return result
else:
// apply internal policy based ACL for URLParameter token and 2-legged OAuth
token
if ACL.check(...) is Okay:
return result
else:
complain_loudly(); // steal from Chris's example --- Chris, please
complain loudly. =)
// >>> pseudo-code ends here.
However, it seems the current OAuthToken couldn't distinguish whether it's
generated by 3-legged one or 2-legged one.
Thus my proposal (though a bit too detailed) is:
1. in OAuth authorization stage, add (appUrl, userId) short-circuited rule to
global ACL.
2. in RESTful SPI function, the ACL check could be unified to:
// <<< pseudo-code starts here.
result = preparing_return_values(...)
if global_ACL.check(...) is Okay:
return result
else:
complain_loudly()
// >>> pseudo-code ends here.
Just my 2 cents. :)
> Add 3-legged OAuth validation support for RESTful api
> -----------------------------------------------------
>
> Key: SHINDIG-897
> URL: https://issues.apache.org/jira/browse/SHINDIG-897
> Project: Shindig
> Issue Type: Improvement
> Components: RESTful API (Java)
> Reporter: Jacky Wang
> Priority: Minor
> Attachments: add-3-legged-oauth.patch
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> RESTful API now supports 2-legged OAuth, and we'd like to see it supports
> validation for requests issued by 3-legged OAuth client.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
