svn commit: r1378841 - in /incubator/wookie/trunk/src: org/apache/wookie/controller/WidgetInstancesController.java widgetserver.properties

Thu, 30 Aug 2012 00:59:54 -0700 

Author: scottbw
Date: Thu Aug 30 07:59:02 2012
New Revision: 1378841

URL: http://svn.apache.org/viewvc?rev=1378841&view=rev
Log:
Added support for locked domains, providing a unique origin for each widget 
instance for added security in production settings. (This feature works in the 
same manner as Shindig). See WOOKIE-310.

Modified:
    
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
    incubator/wookie/trunk/src/widgetserver.properties

Modified: 
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
URL: 
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java?rev=1378841&r1=1378840&r2=1378841&view=diff
==============================================================================
--- 
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
 (original)
+++ 
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
 Thu Aug 30 07:59:02 2012
@@ -20,6 +20,7 @@ import java.io.UnsupportedEncodingExcept
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLDecoder;
+import java.util.UUID;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -375,17 +376,35 @@ public class WidgetInstancesController e
                //
     String path = sf.getSrc();
                URL urlWidget =  getWookieServerURL(request, path);
-               
+
+               //
+               // If locked domains are enabled, create a host prefix using a 
UUID generated from the
+               // widget instance
+               //
+               URL proxyUrl = urlWidgetProxyServer;
+               Configuration properties = (Configuration) 
request.getSession().getServletContext().getAttribute("properties"); 
//$NON-NLS-1$
+               if 
(properties.getBoolean("widget.instance.lockeddomain.enabled",false)){ 
//$NON-NLS-1$
+                       //
+                       // Generate a UUID from the instance ID key as the 
subdomain for the instance
+                       //
+                       String prefix =  
UUID.nameUUIDFromBytes(instance.getIdKey().getBytes()).toString()+"-locked";
+                       urlWidget = new URL(urlWidget.getProtocol(), 
prefix+"."+urlWidget.getHost(), urlWidget.getPort(), path); //$NON-NLS-1$
+                       //
+                       // Prepend the subdomain to the proxy URL also
+                       //
+                       proxyUrl = new URL(urlWidgetProxyServer.getProtocol(), 
prefix + "." + urlWidgetProxyServer.getHost(),urlWidgetProxyServer.getPort(), 
urlWidgetProxyServer.getPath());
+               }
+
                //
                // Append querystring parameters for the URL: id key, proxy 
URL, and social token
                //
                if (urlWidget.getQuery() != null){
                        url+= urlWidget + "&idkey=" + instance.getIdKey()  
//$NON-NLS-1$
-                                       + "&proxy=" + 
urlWidgetProxyServer.toExternalForm()  //$NON-NLS-1$
+                                       + "&proxy=" + 
proxyUrl.toExternalForm()  //$NON-NLS-1$
                                        + "&st=" + 
instance.getOpensocialToken(); //$NON-NLS-1$
                } else {
                        url+= urlWidget + "?idkey=" + instance.getIdKey()  
//$NON-NLS-1$
-                                       + "&proxy=" + 
urlWidgetProxyServer.toExternalForm()  //$NON-NLS-1$
+                                       + "&proxy=" + 
proxyUrl.toExternalForm()  //$NON-NLS-1$
                                        + "&st=" + 
instance.getOpensocialToken(); //$NON-NLS-1$
                }
                return url;

Modified: incubator/wookie/trunk/src/widgetserver.properties
URL: 
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/widgetserver.properties?rev=1378841&r1=1378840&r2=1378841&view=diff
==============================================================================
--- incubator/wookie/trunk/src/widgetserver.properties (original)
+++ incubator/wookie/trunk/src/widgetserver.properties Thu Aug 30 07:59:02 2012
@@ -73,6 +73,21 @@ widget.enable.validator=false
 widget.import.broadcast=false
 widget.import.broadcast.url=
 #######################################################################
+# Locked domains
+#
+# Set this to true to use Locked Domains. When enabled, each widget 
+# instance is served at a dynamically generated subdomain, e.g.
+# http://1faed3456e9999-locked.wookie-example.com. This means that each 
+# widget instance has a unique origin, and is sandboxed from all
+# other widgets on the same page. Note that to enable this feature
+# requires that your web server uses a wildcard subdomain configuration
+# for Wookie, for example:
+#
+# mywookie.com A xxx.xxx.xxx.xxx
+# *-locked.mywookie.com CNAME mywookie.com
+#
+widget.instance.lockeddomain.enabled=false
+#######################################################################
 # digital signature settings
 # Set this property to have Wookie check widget digital signatures when
 # deploying a widget

Reply via email to