You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Paul Lindner (JIRA)" <ji...@apache.org> on 2008/07/21 12:15:32 UTC
[jira] Created: (SHINDIG-463) Support Anonymous Security Tokens
Support Anonymous Security Tokens
---------------------------------
Key: SHINDIG-463
URL: https://issues.apache.org/jira/browse/SHINDIG-463
Project: Shindig
Issue Type: Improvement
Components: Common Components (Java)
Reporter: Paul Lindner
Attachments: anontoken.patch
To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Commented: (SHINDIG-463) Support Anonymous Security Tokens
Posted by Brian Eaton <be...@google.com>.
On Tue, Jul 22, 2008 at 9:47 AM, Chris Chabot (JIRA) <ji...@apache.org> wrote:
> Really ? When people have to write their service classes, is it easier to explain to them (and have them remember) isAnonymous() or that they should check some variable and see if it's null?
If they are writing a service class and they need to know who the user
is, they check the security token. If the security token isn't there,
then the user isn't authenticated.
It's really easy, and this is common practice in java land:
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()
> Also is it easier to understand an exception that says "hey silly, you forgot to check if this is an anonymous token" or a "*cloud of smoke and debugging output* you referenced a null variable".
The difference between IllegalArgumentException and
NullPointerException is not huge, and in my humble opinion it is not
worth the overhead of adding a new API to shindig.
On the other hand, this is a fairly minor API, minor enough that t I'm
going to stop fighting it. If I haven't convinced you with these
arguments, I will go ahead and adapt to this API when it is added. I
won't even gripe much. =)
Cheers,
Brian
[jira] Commented: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12615663#action_12615663 ]
Brian Eaton commented on SHINDIG-463:
-------------------------------------
I prefer the latter, because it does not involve changing interfaces. If the entire goal of this code is to write "token.isAnonymous()" instead of "token == null", it doesn't seem worthwhile.
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Paul Lindner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lindner updated SHINDIG-463:
---------------------------------
Attachment: (was: anontoken.patch)
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Paul Lindner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12615393#action_12615393 ]
Paul Lindner commented on SHINDIG-463:
--------------------------------------
Every handler should check the token to see if it's anonymous.
If a handler does not check the token then an InvalidArgumentException is thrown instead of an NPE.
Also, do you like code that looks like this:
if (token.isAnonymous()) {
...
}
or this:
if (token == null) {
...
}
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Paul Lindner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lindner reassigned SHINDIG-463:
------------------------------------
Assignee: Paul Lindner
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Paul Lindner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lindner updated SHINDIG-463:
---------------------------------
Attachment: anontoken.patch
anonymous token patch.
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Paul Lindner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lindner updated SHINDIG-463:
---------------------------------
Attachment: anontoken.patch
New patch with actual usage..
Here's the critical code that uses an anonymous token. We really only need a single implementation of an anonymous token, and it can be a singleton. In this chunk of the code we assign the anonymous token when it is not present in the request.
This is a good solution because it does not require a ton of custom logic in each SecurityToken implementation, they can just return true.
===================================================================
--- java/common/src/main/java/org/apache/shindig/common/BasicSecurityTokenDecoder.java (revision 678371)
+++ java/common/src/main/java/org/apache/shindig/common/BasicSecurityTokenDecoder.java (working copy)
@@ -71,7 +71,8 @@
final String token = parameters.get(SecurityTokenDecoder.SECURITY_TOKEN_NAME);
if (token == null || token.trim().length() == 0) {
- throw new SecurityTokenException("Missing security token");
+ // No token is present, assume anonymous access
+ return AnonymousSecurityToken.getInstance();
}
try {
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Paul Lindner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lindner resolved SHINDIG-463.
----------------------------------
Resolution: Fixed
checked in revision 685033
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Chris Chabot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12615668#action_12615668 ]
Chris Chabot commented on SHINDIG-463:
--------------------------------------
Really ? When people have to write their service classes, is it easier to explain to them (and have them remember) isAnonymous() or that they should check some variable and see if it's null?
Also is it easier to understand an exception that says "hey silly, you forgot to check if this is an anonymous token" or a "*cloud of smoke and debugging output* you referenced a null variable".
I can't really comment on the java interfaces, but on the PHP side the choice was easy to make :)
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12615295#action_12615295 ]
Brian Eaton commented on SHINDIG-463:
-------------------------------------
Rather than creating a separate AnonymousSecurityToken class it might be better to add isAnonymous() to existing classes with an appropriate implementation. It wouldn't be hard to create a new constructor on BasicSecurityToken for creating anonymous tokens.
Can you add to this patch (or create another patch) showing how the isAnonymous() method would be used elsewhere in Shindig? I'm not sure I entirely understand what the anonymous token is supposed to accomplish.
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-463) Support Anonymous Security Tokens
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12615384#action_12615384 ]
Brian Eaton commented on SHINDIG-463:
-------------------------------------
What is actually going to use the isAnonymous() method? This looks like a whole bunch of dead code, we could just as easily return null.
> Support Anonymous Security Tokens
> ---------------------------------
>
> Key: SHINDIG-463
> URL: https://issues.apache.org/jira/browse/SHINDIG-463
> Project: Shindig
> Issue Type: Improvement
> Components: Common Components (Java)
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Attachments: anontoken.patch
>
>
> To support anonymous access for viewer/owner we need to support the concept of an anonymous security token.
> To do this we should create an isAnonymous() method in the SecurityToken interface and add a new implementation AnonymousSecurityToken.
> These tokens will throw InvalidArgumentException() when an attempt is made to access any field.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.