You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Brian Eaton (JIRA)" <ji...@apache.org> on 2008/03/04 19:37:41 UTC
[jira] Created: (SHINDIG-109) support signed fetch in Shindig
support signed fetch in Shindig
-------------------------------
Key: SHINDIG-109
URL: https://issues.apache.org/jira/browse/SHINDIG-109
Project: Shindig
Issue Type: New Feature
Components: Gadgets Server - Java
Reporter: Brian Eaton
We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SHINDIG-109) support signed fetch in Shindig
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Eaton resolved SHINDIG-109.
---------------------------------
Resolution: Fixed
Code has landed, this is fixed.
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java, oauth.patch, signedfetch.patch, wrongname.patch
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-109) support signed fetch in Shindig
Posted by "Paul Lindner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lindner updated SHINDIG-109:
---------------------------------
Attachment: oauth.patch
Here's an incomplete sample implementation...
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java, oauth.patch
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-109) support signed fetch in Shindig
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578119#action_12578119 ]
Kevin Brown commented on SHINDIG-109:
-------------------------------------
The default signer should probably fetch the private key from a file that is configured via web.xml. I think we should probably try committing this and then tweaking it from that...if only we had some code review tool to do this!
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java, oauth.patch, signedfetch.patch
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-109) support signed fetch in Shindig
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Eaton updated SHINDIG-109:
--------------------------------
Attachment: wrongname.patch
There was a bug in my earlier patch. This fixes it.
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java, oauth.patch, signedfetch.patch, wrongname.patch
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-109) support signed fetch in Shindig
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12575608#action_12575608 ]
Kevin Brown commented on SHINDIG-109:
-------------------------------------
Were you intending this as an implementation of the existing signed fetch method on RemoteContentFetcher?
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-109) support signed fetch in Shindig
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Eaton updated SHINDIG-109:
--------------------------------
Attachment: signedfetch.patch
Here's a more complete implementation.
I think I've got the hooks for container customization in the right places. I'll check some more tomorrow.
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java, oauth.patch, signedfetch.patch
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-109) support signed fetch in Shindig
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578134#action_12578134 ]
Brian Eaton commented on SHINDIG-109:
-------------------------------------
Remind me to send you a shell script I wrote today called 'shindiff'.
It takes as input a patch, and pops up graphical diffs of the patch
against head. It ain't mondrian, but it's better than vim.
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java, oauth.patch, signedfetch.patch
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-109) support signed fetch in Shindig
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578655#action_12578655 ]
Kevin Brown commented on SHINDIG-109:
-------------------------------------
Ok, now that this is in I can comment on it a little more easily.
Since signed fetch and full oauth should be implemented in the same way across containers, I think it makes more sense to just have a single OAuth wrapper that can handle both of these cases, with the GadgetToken being responsible for managing inputs (and, as today, passed to the gadget server in the st param). Either that or a separate RequestSigner and RequestAuthorizer. I'm not really sure how full oauth is supposed to be implemented with the current RequestSigner interface.
We can then clearly separate input security (mix of shindig custom and user proprietary techniques) and output security (OAuth).
GadgetSigner becomes GadgetTokenFactory. Input is a String, the "st" parameter, as today.
RequestSigner signs requests using OAuth. Inputs are the GadgetToken, RemoteContentRequest, and an implementation of an OAuthSignatureMethod used to sign the outgoing request (to allow for implementations with more robust key management).
RequestAuthorizer authorizes requests using OAuth. Inputs are a bit more complex here since we'd have to have an interface for accessing the per-user data. I'm not that familiar with how full OAuth is supposed to work, so I might be missing some things here.
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java, oauth.patch, signedfetch.patch
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-109) support signed fetch in Shindig
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Eaton updated SHINDIG-109:
--------------------------------
Attachment: CreateSignedFetchRequestHandler.java
> support signed fetch in Shindig
> -------------------------------
>
> Key: SHINDIG-109
> URL: https://issues.apache.org/jira/browse/SHINDIG-109
> Project: Shindig
> Issue Type: New Feature
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
> Attachments: CreateSignedFetchRequestHandler.java
>
>
> We should add signed fetch support to Shindig. We have open source code to do the work, but it needs integration. I'll attach what we've got to this bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.