You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Erik Bi <bi...@cn.ibm.com> on 2012/05/14 14:39:40 UTC
Re: Review Request: gadgets.io.RequestParameters.SIGN_OWNER and
gadgets.io.RequestParameters.SIGN_VIEWER not implemented in Shindig
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/5085/
-----------------------------------------------------------
(Updated 2012-05-14 12:39:40.305248)
Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.
Summary
-------
The OpenSocial spec says that you should be able to pass 'SIGN_OWNER' and 'SIGN_VIEWER' as parameters to makeRequest. Shindig does not define these and in fact looks for the wrong parameters. In io.js Shindig looks for 'OWNER_SIGNED' and 'VIEWER_SIGNED'. In addition 'SIGN_OWNER' and 'SIGN_VIEWER' should be made constants.
This addresses bug shindig-1772.
https://issues.apache.org/jira/browse/shindig-1772
Diffs (updated)
-----
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1327432
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/proxied-form-post/post.js 1327432
http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1327432
Diff: https://reviews.apache.org/r/5085/diff
Testing
-------
Update iotest.js
Thanks,
Erik
Re: Review Request: gadgets.io.RequestParameters.SIGN_OWNER and
gadgets.io.RequestParameters.SIGN_VIEWER not implemented in Shindig
Posted by Ryan Baxter <rb...@gmail.com>.
> On 2012-05-14 13:16:37, Ryan Baxter wrote:
> > Erik every looks good, please attach the patch to the JIRA and I will commit this.
Committed revision 1339144. Please close the review.
- Ryan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/5085/#review7840
-----------------------------------------------------------
On 2012-05-14 12:39:40, Erik Bi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/5085/
> -----------------------------------------------------------
>
> (Updated 2012-05-14 12:39:40)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.
>
>
> Summary
> -------
>
> The OpenSocial spec says that you should be able to pass 'SIGN_OWNER' and 'SIGN_VIEWER' as parameters to makeRequest. Shindig does not define these and in fact looks for the wrong parameters. In io.js Shindig looks for 'OWNER_SIGNED' and 'VIEWER_SIGNED'. In addition 'SIGN_OWNER' and 'SIGN_VIEWER' should be made constants.
>
>
> This addresses bug shindig-1772.
> https://issues.apache.org/jira/browse/shindig-1772
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1327432
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/proxied-form-post/post.js 1327432
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1327432
>
> Diff: https://reviews.apache.org/r/5085/diff
>
>
> Testing
> -------
>
> Update iotest.js
>
>
> Thanks,
>
> Erik
>
>
Re: Send Security Token with each request by default
Posted by Stanton Sievers <ss...@us.ibm.com>.
Hi Venkat,
That is expected. Tests in Shindig may start failing if you are building
with customizations in shindig.properties or container.js configuration
files. The EndToEndTest assumes that the security token is not encrypted
and is sending an unencrypted token to the server. The server is trying
to validate the token and is failing.
You can either build Shindig without tests (as part of the maven build) or
you can inject your own PropertiesModule via Guice to utilize your own
shindig.properties and container.js files at runtime.
Regards,
-Stanton
From: "Mahadevan, Venkat" <ve...@mitre.org>
To: "dev@shindig.apache.org" <de...@shindig.apache.org>,
Date: 05/14/2012 11:07
Subject: Re: Send Security Token with each request by default
Hi Stanton
Thanks for the reply. We want all requests to shindig include a token,
looks like this is currently available as you have mentioned.
Also can you let me know what I am getting errors while running mvn
install. I have changed container.js with "gadgets.securityTokenType" to
secure and added the path to the file which contains the key to
"gadgets.securityTokenKey". I am getting this error:
INFO: The security token or credential is malformed and cannot be parsed.
Results :
org.apache.shindig.auth.SecurityTokenException: Invalid security token
canonical:john.doe:test:domain:appUrl:1:default:1337008734
at
org.apache.shindig.auth.BlobCrypterSecurityTokenCodec.createToken(BlobCrypt
erSecurityTokenCodec.java:140)
Failed tests:
fetchPerson(org.apache.shindig.server.endtoend.EndToEndTest): test
method fetchTwoProperties did not finish
fetchPeople(org.apache.shindig.server.endtoend.EndToEndTest): test
method fetchPluralUsers did not finish
at
org.apache.shindig.auth.DefaultSecurityTokenCodec.createToken(DefaultSecuri
tyTokenCodec.java:69)
notFoundError(org.apache.shindig.server.endtoend.EndToEndTest): test
method notFoundError did not finish
at
org.apache.shindig.auth.UrlParameterAuthenticationHandler.getSecurityTokenF
romRequest(UrlParameterAuthenticationHandler.java:63)
The createToken() method in BlobCrypterSecurityTokenCodec is looking for
fields.length to be 2 but in this case we have fields.length as 8 since
the token is "canonical:john.doe:test:domain:appUrl:1:default:1337011522"
Maybe I am doing something wrong. Is there any configuration that I am
missing?
Regards
Venkat
On 5/14/12 10:20 AM, "Stanton Sievers" <ss...@us.ibm.com> wrote:
>Hi Venkat,
>
>Can you clarify exactly what requests you want the security token to be
>sent on? Today it should be sent on any osapi.* request, any makeRequest
>(since [1]), and any request using OAuth. The only requests it shouldn't
>flow on would be those to the content proxy, for urls obtained through
>gadgets.io.getProxyUrl().
>
>On a side note, one can set
>"gadgets.uri.iframe.alwaysAppendSecurityToken"
>to true in the container.js to ensure that a security token is always
>available to the gadget on the ifr url.
>
>[1] https://issues.apache.org/jira/browse/SHINDIG-1768
>
>Best regards,
>-Stanton
>
>
>
>From: "Mahadevan, Venkat" <ve...@mitre.org>
>To: "dev@shindig.apache.org" <de...@shindig.apache.org>,
>Date: 05/14/2012 09:56
>Subject: Send Security Token with each request by default
>
>
>
>Hi
>
>Is there a way in Shindig trunk to enable sending security tokens with
>every request?
>
>
>
>Thanks
>Venkat
>
>
>
Re: Send Security Token with each request by default
Posted by "Mahadevan, Venkat" <ve...@mitre.org>.
Hi Stanton
Thanks for the reply. We want all requests to shindig include a token,
looks like this is currently available as you have mentioned.
Also can you let me know what I am getting errors while running mvn
install. I have changed container.js with "gadgets.securityTokenType" to
secure and added the path to the file which contains the key to
"gadgets.securityTokenKey". I am getting this error:
INFO: The security token or credential is malformed and cannot be parsed.
Results :
org.apache.shindig.auth.SecurityTokenException: Invalid security token
canonical:john.doe:test:domain:appUrl:1:default:1337008734
at
org.apache.shindig.auth.BlobCrypterSecurityTokenCodec.createToken(BlobCrypt
erSecurityTokenCodec.java:140)
Failed tests:
fetchPerson(org.apache.shindig.server.endtoend.EndToEndTest): test
method fetchTwoProperties did not finish
fetchPeople(org.apache.shindig.server.endtoend.EndToEndTest): test
method fetchPluralUsers did not finish
at
org.apache.shindig.auth.DefaultSecurityTokenCodec.createToken(DefaultSecuri
tyTokenCodec.java:69)
notFoundError(org.apache.shindig.server.endtoend.EndToEndTest): test
method notFoundError did not finish
at
org.apache.shindig.auth.UrlParameterAuthenticationHandler.getSecurityTokenF
romRequest(UrlParameterAuthenticationHandler.java:63)
The createToken() method in BlobCrypterSecurityTokenCodec is looking for
fields.length to be 2 but in this case we have fields.length as 8 since
the token is "canonical:john.doe:test:domain:appUrl:1:default:1337011522"
Maybe I am doing something wrong. Is there any configuration that I am
missing?
Regards
Venkat
On 5/14/12 10:20 AM, "Stanton Sievers" <ss...@us.ibm.com> wrote:
>Hi Venkat,
>
>Can you clarify exactly what requests you want the security token to be
>sent on? Today it should be sent on any osapi.* request, any makeRequest
>(since [1]), and any request using OAuth. The only requests it shouldn't
>flow on would be those to the content proxy, for urls obtained through
>gadgets.io.getProxyUrl().
>
>On a side note, one can set
>"gadgets.uri.iframe.alwaysAppendSecurityToken"
>to true in the container.js to ensure that a security token is always
>available to the gadget on the ifr url.
>
>[1] https://issues.apache.org/jira/browse/SHINDIG-1768
>
>Best regards,
>-Stanton
>
>
>
>From: "Mahadevan, Venkat" <ve...@mitre.org>
>To: "dev@shindig.apache.org" <de...@shindig.apache.org>,
>Date: 05/14/2012 09:56
>Subject: Send Security Token with each request by default
>
>
>
>Hi
>
>Is there a way in Shindig trunk to enable sending security tokens with
>every request?
>
>
>
>Thanks
>Venkat
>
>
>
Re: Send Security Token with each request by default
Posted by Stanton Sievers <ss...@us.ibm.com>.
Hi Venkat,
Can you clarify exactly what requests you want the security token to be
sent on? Today it should be sent on any osapi.* request, any makeRequest
(since [1]), and any request using OAuth. The only requests it shouldn't
flow on would be those to the content proxy, for urls obtained through
gadgets.io.getProxyUrl().
On a side note, one can set "gadgets.uri.iframe.alwaysAppendSecurityToken"
to true in the container.js to ensure that a security token is always
available to the gadget on the ifr url.
[1] https://issues.apache.org/jira/browse/SHINDIG-1768
Best regards,
-Stanton
From: "Mahadevan, Venkat" <ve...@mitre.org>
To: "dev@shindig.apache.org" <de...@shindig.apache.org>,
Date: 05/14/2012 09:56
Subject: Send Security Token with each request by default
Hi
Is there a way in Shindig trunk to enable sending security tokens with
every request?
Thanks
Venkat
Send Security Token with each request by default
Posted by "Mahadevan, Venkat" <ve...@mitre.org>.
Hi
Is there a way in Shindig trunk to enable sending security tokens with
every request?
Thanks
Venkat
Re: Review Request: gadgets.io.RequestParameters.SIGN_OWNER and
gadgets.io.RequestParameters.SIGN_VIEWER not implemented in Shindig
Posted by Ryan Baxter <rb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/5085/#review7840
-----------------------------------------------------------
Ship it!
Erik every looks good, please attach the patch to the JIRA and I will commit this.
- Ryan
On 2012-05-14 12:39:40, Erik Bi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/5085/
> -----------------------------------------------------------
>
> (Updated 2012-05-14 12:39:40)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.
>
>
> Summary
> -------
>
> The OpenSocial spec says that you should be able to pass 'SIGN_OWNER' and 'SIGN_VIEWER' as parameters to makeRequest. Shindig does not define these and in fact looks for the wrong parameters. In io.js Shindig looks for 'OWNER_SIGNED' and 'VIEWER_SIGNED'. In addition 'SIGN_OWNER' and 'SIGN_VIEWER' should be made constants.
>
>
> This addresses bug shindig-1772.
> https://issues.apache.org/jira/browse/shindig-1772
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1327432
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/proxied-form-post/post.js 1327432
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1327432
>
> Diff: https://reviews.apache.org/r/5085/diff
>
>
> Testing
> -------
>
> Update iotest.js
>
>
> Thanks,
>
> Erik
>
>