You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "Brian Lillie (JIRA)" <ji...@apache.org> on 2012/05/07 20:47:02 UTC
[jira] [Created] (SHINDIG-1768) Add shindig security token to
makeRequest header
Brian Lillie created SHINDIG-1768:
-------------------------------------
Summary: Add shindig security token to makeRequest header
Key: SHINDIG-1768
URL: https://issues.apache.org/jira/browse/SHINDIG-1768
Project: Shindig
Issue Type: Improvement
Components: Java
Affects Versions: 2.5.0
Reporter: Brian Lillie
Fix For: 2.5.0
Following on in the same vein as SHINDIG-1756, we want to better identify the source of the requests coming into the server via makeRequest. If the request authz is not none, then the security token flows. if the authz is NONE, the security token is not sent. This change would be to include the security token on every request. Since including the token on the URL parameter would break the ability to cache, the security token will instead be added as a header named X-Shindig-ST on all requests. On the shindig server side, the header will be processed if there is not already a token supplied as a url parameter or oauth related parameter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHINDIG-1768) Add shindig security token to
makeRequest header
Posted by "jiraposter@reviews.apache.org (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13269872#comment-13269872 ]
jiraposter@reviews.apache.org commented on SHINDIG-1768:
--------------------------------------------------------
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/5013/
-----------------------------------------------------------
(Updated 2012-05-07 18:45:53.595406)
Review request for shindig.
Changes
-------
Added JIRA
Summary
-------
Change to io.js to send the security token as a request header on all requests. This preserves the ability for the browser to cache the responses.
UrlParameterAuthenticationHandler, if no other token supplied on request, checks the request header for the field
MakeRequestHandler sets the security token in all HttpRequest objects. This change does not cause a failure if there is no token, though that could be considered.
The makeXhrRequest logic was reordered slightly, as the opt_headers were not included on the request if paramData was null. So for example, if the makeRequest wanted to set opt_headers in the call parameters, but it was 'GET' method in makeRequest, the opt_headers would not be added to the request. I didn't come up with a reason for that restriction, and so reordered the logic and moved the opt_headers updates to the request outside of the if (paramData != null) test.
This addresses bug SHINDIG-1768.
https://issues.apache.org/jira/browse/SHINDIG-1768
Diffs
-----
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1332240
http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1332240
http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java 1304584
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1327569
Diff: https://reviews.apache.org/r/5013/diff
Testing
-------
Existing tests passed.
Thanks,
BrianLillie
> Add shindig security token to makeRequest header
> ------------------------------------------------
>
> Key: SHINDIG-1768
> URL: https://issues.apache.org/jira/browse/SHINDIG-1768
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 2.5.0
> Reporter: Brian Lillie
> Fix For: 2.5.0
>
>
> Following on in the same vein as SHINDIG-1756, we want to better identify the source of the requests coming into the server via makeRequest. If the request authz is not none, then the security token flows. if the authz is NONE, the security token is not sent. This change would be to include the security token on every request. Since including the token on the URL parameter would break the ability to cache, the security token will instead be added as a header named X-Shindig-ST on all requests. On the shindig server side, the header will be processed if there is not already a token supplied as a url parameter or oauth related parameter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHINDIG-1768) Add shindig security token to
makeRequest header
Posted by "jiraposter@reviews.apache.org (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13270755#comment-13270755 ]
jiraposter@reviews.apache.org commented on SHINDIG-1768:
--------------------------------------------------------
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/5013/#review7694
-----------------------------------------------------------
Ship it!
Committed revision 1335707.
Please close the review.
- Stanton
On 2012-05-07 18:45:53, BrianLillie wrote:
bq.
bq. -----------------------------------------------------------
bq. This is an automatically generated e-mail. To reply, visit:
bq. https://reviews.apache.org/r/5013/
bq. -----------------------------------------------------------
bq.
bq. (Updated 2012-05-07 18:45:53)
bq.
bq.
bq. Review request for shindig.
bq.
bq.
bq. Summary
bq. -------
bq.
bq. Change to io.js to send the security token as a request header on all requests. This preserves the ability for the browser to cache the responses.
bq. UrlParameterAuthenticationHandler, if no other token supplied on request, checks the request header for the field
bq. MakeRequestHandler sets the security token in all HttpRequest objects. This change does not cause a failure if there is no token, though that could be considered.
bq.
bq. The makeXhrRequest logic was reordered slightly, as the opt_headers were not included on the request if paramData was null. So for example, if the makeRequest wanted to set opt_headers in the call parameters, but it was 'GET' method in makeRequest, the opt_headers would not be added to the request. I didn't come up with a reason for that restriction, and so reordered the logic and moved the opt_headers updates to the request outside of the if (paramData != null) test.
bq.
bq.
bq. This addresses bug SHINDIG-1768.
bq. https://issues.apache.org/jira/browse/SHINDIG-1768
bq.
bq.
bq. Diffs
bq. -----
bq.
bq. http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1332240
bq. http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1332240
bq. http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java 1304584
bq. http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1327569
bq.
bq. Diff: https://reviews.apache.org/r/5013/diff
bq.
bq.
bq. Testing
bq. -------
bq.
bq. Existing tests passed.
bq.
bq.
bq. Thanks,
bq.
bq. BrianLillie
bq.
bq.
> Add shindig security token to makeRequest header
> ------------------------------------------------
>
> Key: SHINDIG-1768
> URL: https://issues.apache.org/jira/browse/SHINDIG-1768
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 2.5.0
> Reporter: Brian Lillie
> Fix For: 2.5.0
>
> Attachments: mr_3.patch
>
>
> Following on in the same vein as SHINDIG-1756, we want to better identify the source of the requests coming into the server via makeRequest. If the request authz is not none, then the security token flows. if the authz is NONE, the security token is not sent. This change would be to include the security token on every request. Since including the token on the URL parameter would break the ability to cache, the security token will instead be added as a header named X-Shindig-ST on all requests. On the shindig server side, the header will be processed if there is not already a token supplied as a url parameter or oauth related parameter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SHINDIG-1768) Add shindig security token to
makeRequest header
Posted by "Ryan Baxter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ryan Baxter updated SHINDIG-1768:
---------------------------------
Fix Version/s: (was: 2.5.0)
2.5.0-beta2
> Add shindig security token to makeRequest header
> ------------------------------------------------
>
> Key: SHINDIG-1768
> URL: https://issues.apache.org/jira/browse/SHINDIG-1768
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 2.5.0
> Reporter: Brian Lillie
> Fix For: 2.5.0-beta2
>
> Attachments: mr_3.patch
>
>
> Following on in the same vein as SHINDIG-1756, we want to better identify the source of the requests coming into the server via makeRequest. If the request authz is not none, then the security token flows. if the authz is NONE, the security token is not sent. This change would be to include the security token on every request. Since including the token on the URL parameter would break the ability to cache, the security token will instead be added as a header named X-Shindig-ST on all requests. On the shindig server side, the header will be processed if there is not already a token supplied as a url parameter or oauth related parameter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SHINDIG-1768) Add shindig security token to
makeRequest header
Posted by "Stanton Sievers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stanton Sievers resolved SHINDIG-1768.
--------------------------------------
Resolution: Fixed
Committed revision 1335707.
> Add shindig security token to makeRequest header
> ------------------------------------------------
>
> Key: SHINDIG-1768
> URL: https://issues.apache.org/jira/browse/SHINDIG-1768
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 2.5.0
> Reporter: Brian Lillie
> Fix For: 2.5.0
>
> Attachments: mr_3.patch
>
>
> Following on in the same vein as SHINDIG-1756, we want to better identify the source of the requests coming into the server via makeRequest. If the request authz is not none, then the security token flows. if the authz is NONE, the security token is not sent. This change would be to include the security token on every request. Since including the token on the URL parameter would break the ability to cache, the security token will instead be added as a header named X-Shindig-ST on all requests. On the shindig server side, the header will be processed if there is not already a token supplied as a url parameter or oauth related parameter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SHINDIG-1768) Add shindig security token to
makeRequest header
Posted by "Brian Lillie (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Lillie updated SHINDIG-1768:
----------------------------------
Attachment: mr_3.patch
> Add shindig security token to makeRequest header
> ------------------------------------------------
>
> Key: SHINDIG-1768
> URL: https://issues.apache.org/jira/browse/SHINDIG-1768
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 2.5.0
> Reporter: Brian Lillie
> Fix For: 2.5.0
>
> Attachments: mr_3.patch
>
>
> Following on in the same vein as SHINDIG-1756, we want to better identify the source of the requests coming into the server via makeRequest. If the request authz is not none, then the security token flows. if the authz is NONE, the security token is not sent. This change would be to include the security token on every request. Since including the token on the URL parameter would break the ability to cache, the security token will instead be added as a header named X-Shindig-ST on all requests. On the shindig server side, the header will be processed if there is not already a token supplied as a url parameter or oauth related parameter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira