You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by Erel Segal <er...@gmail.com> on 2008/07/16 13:55:49 UTC

social data requests without security tokens

I found a discrepancy between two functions that deal with security tokens:

in BasicSecurityTokenDecoder::createToken, an empty token is rejected only
if $_GET['authz'] is not empty, i.e. I may use a gadget without a security
token, as long as there is no authz:

        if (empty($stringToken) && ! empty($_GET['authz'])) {
            throw new GadgetException('INVALID_GADGET_TOKEN');
        }


but in GadgetDataServlet::createResponse, an empty token is always rejected:
        if (empty($token)) {
            throw new Exception("INVALID_GADGET_TOKEN");
        }


Is this a bug or a feature?

Re: social data requests without security tokens

Posted by Ropu <ro...@gmail.com>.

if good and short, double good...

On Wed, Jul 16, 2008 at 11:15 AM, Erel Segal <er...@gmail.com> wrote:

> Thank you, your short answer helped me put things in place.
>
> 2008/7/16, Ropu <ro...@gmail.com>:
> >
> > as far as i can see, thats for io.makeRequest with no authentication.
> >
> > so it should be ok.
> >
> > still, all code under samplecontainer/ (and namespaced with Basic*) is
> > SAMPLE, just to show functionality, not ready for production.
> >
> > hope this helps
> >
> > ropu
> >
> >
> > On Wed, Jul 16, 2008 at 8:55 AM, Erel Segal <er...@gmail.com> wrote:
> >
> > > I found a discrepancy between two functions that deal with security
> > tokens:
> > >
> > > in BasicSecurityTokenDecoder::createToken, an empty token is rejected
> > only
> > > if $_GET['authz'] is not empty, i.e. I may use a gadget without a
> > security
> > > token, as long as there is no authz:
> > >
> > >        if (empty($stringToken) && ! empty($_GET['authz'])) {
> > >            throw new GadgetException('INVALID_GADGET_TOKEN');
> > >        }
> > >
> > >
> > > but in GadgetDataServlet::createResponse, an empty token is always
> > > rejected:
> > >        if (empty($token)) {
> > >            throw new Exception("INVALID_GADGET_TOKEN");
> > >        }
> > >
> > >
> > > Is this a bug or a feature?
> > >
> >
> >
> >
> >
> > --
> > .-. --- .--. ..-
> > R o p u
> >
>



-- 
.-. --- .--. ..-
R o p u

Re: social data requests without security tokens

Posted by Erel Segal <er...@gmail.com>.

Thank you, your short answer helped me put things in place.

2008/7/16, Ropu <ro...@gmail.com>:
>
> as far as i can see, thats for io.makeRequest with no authentication.
>
> so it should be ok.
>
> still, all code under samplecontainer/ (and namespaced with Basic*) is
> SAMPLE, just to show functionality, not ready for production.
>
> hope this helps
>
> ropu
>
>
> On Wed, Jul 16, 2008 at 8:55 AM, Erel Segal <er...@gmail.com> wrote:
>
> > I found a discrepancy between two functions that deal with security
> tokens:
> >
> > in BasicSecurityTokenDecoder::createToken, an empty token is rejected
> only
> > if $_GET['authz'] is not empty, i.e. I may use a gadget without a
> security
> > token, as long as there is no authz:
> >
> >        if (empty($stringToken) && ! empty($_GET['authz'])) {
> >            throw new GadgetException('INVALID_GADGET_TOKEN');
> >        }
> >
> >
> > but in GadgetDataServlet::createResponse, an empty token is always
> > rejected:
> >        if (empty($token)) {
> >            throw new Exception("INVALID_GADGET_TOKEN");
> >        }
> >
> >
> > Is this a bug or a feature?
> >
>
>
>
>
> --
> .-. --- .--. ..-
> R o p u
>

Re: social data requests without security tokens

Posted by Ropu <ro...@gmail.com>.

as far as i can see, thats for io.makeRequest with no authentication.

so it should be ok.

still, all code under samplecontainer/ (and namespaced with Basic*) is
SAMPLE, just to show functionality, not ready for production.

hope this helps

ropu

On Wed, Jul 16, 2008 at 8:55 AM, Erel Segal <er...@gmail.com> wrote:

> I found a discrepancy between two functions that deal with security tokens:
>
> in BasicSecurityTokenDecoder::createToken, an empty token is rejected only
> if $_GET['authz'] is not empty, i.e. I may use a gadget without a security
> token, as long as there is no authz:
>
>        if (empty($stringToken) && ! empty($_GET['authz'])) {
>            throw new GadgetException('INVALID_GADGET_TOKEN');
>        }
>
>
> but in GadgetDataServlet::createResponse, an empty token is always
> rejected:
>        if (empty($token)) {
>            throw new Exception("INVALID_GADGET_TOKEN");
>        }
>
>
> Is this a bug or a feature?
>



-- 
.-. --- .--. ..-
R o p u