You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Erel Segal <er...@gmail.com> on 2008/07/16 13:55:49 UTC
social data requests without security tokens
I found a discrepancy between two functions that deal with security tokens:
in BasicSecurityTokenDecoder::createToken, an empty token is rejected only
if $_GET['authz'] is not empty, i.e. I may use a gadget without a security
token, as long as there is no authz:
if (empty($stringToken) && ! empty($_GET['authz'])) {
throw new GadgetException('INVALID_GADGET_TOKEN');
}
but in GadgetDataServlet::createResponse, an empty token is always rejected:
if (empty($token)) {
throw new Exception("INVALID_GADGET_TOKEN");
}
Is this a bug or a feature?
Re: social data requests without security tokens
Posted by Ropu <ro...@gmail.com>.
if good and short, double good...
On Wed, Jul 16, 2008 at 11:15 AM, Erel Segal <er...@gmail.com> wrote:
> Thank you, your short answer helped me put things in place.
>
> 2008/7/16, Ropu <ro...@gmail.com>:
> >
> > as far as i can see, thats for io.makeRequest with no authentication.
> >
> > so it should be ok.
> >
> > still, all code under samplecontainer/ (and namespaced with Basic*) is
> > SAMPLE, just to show functionality, not ready for production.
> >
> > hope this helps
> >
> > ropu
> >
> >
> > On Wed, Jul 16, 2008 at 8:55 AM, Erel Segal <er...@gmail.com> wrote:
> >
> > > I found a discrepancy between two functions that deal with security
> > tokens:
> > >
> > > in BasicSecurityTokenDecoder::createToken, an empty token is rejected
> > only
> > > if $_GET['authz'] is not empty, i.e. I may use a gadget without a
> > security
> > > token, as long as there is no authz:
> > >
> > > if (empty($stringToken) && ! empty($_GET['authz'])) {
> > > throw new GadgetException('INVALID_GADGET_TOKEN');
> > > }
> > >
> > >
> > > but in GadgetDataServlet::createResponse, an empty token is always
> > > rejected:
> > > if (empty($token)) {
> > > throw new Exception("INVALID_GADGET_TOKEN");
> > > }
> > >
> > >
> > > Is this a bug or a feature?
> > >
> >
> >
> >
> >
> > --
> > .-. --- .--. ..-
> > R o p u
> >
>
--
.-. --- .--. ..-
R o p u
Re: social data requests without security tokens
Posted by Erel Segal <er...@gmail.com>.
Thank you, your short answer helped me put things in place.
2008/7/16, Ropu <ro...@gmail.com>:
>
> as far as i can see, thats for io.makeRequest with no authentication.
>
> so it should be ok.
>
> still, all code under samplecontainer/ (and namespaced with Basic*) is
> SAMPLE, just to show functionality, not ready for production.
>
> hope this helps
>
> ropu
>
>
> On Wed, Jul 16, 2008 at 8:55 AM, Erel Segal <er...@gmail.com> wrote:
>
> > I found a discrepancy between two functions that deal with security
> tokens:
> >
> > in BasicSecurityTokenDecoder::createToken, an empty token is rejected
> only
> > if $_GET['authz'] is not empty, i.e. I may use a gadget without a
> security
> > token, as long as there is no authz:
> >
> > if (empty($stringToken) && ! empty($_GET['authz'])) {
> > throw new GadgetException('INVALID_GADGET_TOKEN');
> > }
> >
> >
> > but in GadgetDataServlet::createResponse, an empty token is always
> > rejected:
> > if (empty($token)) {
> > throw new Exception("INVALID_GADGET_TOKEN");
> > }
> >
> >
> > Is this a bug or a feature?
> >
>
>
>
>
> --
> .-. --- .--. ..-
> R o p u
>
Re: social data requests without security tokens
Posted by Ropu <ro...@gmail.com>.
as far as i can see, thats for io.makeRequest with no authentication.
so it should be ok.
still, all code under samplecontainer/ (and namespaced with Basic*) is
SAMPLE, just to show functionality, not ready for production.
hope this helps
ropu
On Wed, Jul 16, 2008 at 8:55 AM, Erel Segal <er...@gmail.com> wrote:
> I found a discrepancy between two functions that deal with security tokens:
>
> in BasicSecurityTokenDecoder::createToken, an empty token is rejected only
> if $_GET['authz'] is not empty, i.e. I may use a gadget without a security
> token, as long as there is no authz:
>
> if (empty($stringToken) && ! empty($_GET['authz'])) {
> throw new GadgetException('INVALID_GADGET_TOKEN');
> }
>
>
> but in GadgetDataServlet::createResponse, an empty token is always
> rejected:
> if (empty($token)) {
> throw new Exception("INVALID_GADGET_TOKEN");
> }
>
>
> Is this a bug or a feature?
>
--
.-. --- .--. ..-
R o p u