CAS Portal with Shindig

[da...@leroymerlin.fr]

Hello,

I'm developping a portal on top of an Open source ECM solution. This  
portal embeds shindig to serve opensocial gadgets.

The portal is CAS compliant. Our problem is that when a gadget (for  
instance an RSS Reader) wants to access RSS Feed on this portal,  
shindig doesn't have the credentials to make the proxied request.

I'm trying to explore the authentication mechanism of shindig, but if  
someone has any advice for me (where to begin ? OAuth explanation  
etc...) it would be great !

--
Damien METZLER




Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Leroy Merlin.

Re: CAS Portal with Shindig

[David Primmer <da...@gmail.com>]

I think what you want to do is use signed fetch - a feature of the
gadget server, but this starts by using gadget security tokens with
your container. Your gadget container should put the id of the logged
in user in the gadget token and includes it in the iframe urls when it
is serving your container page. This token is included when a gadget
does a makeRequest call to get the RSS feed. This is security token is
then available in the gadget server when it receives the makeRequest
call and can send those attributes along to the RSS server in a singed
fetch. The gadget server signs the values that were once in the
security token but are now included as url parameters in a signed
fetch. The gadget server makes the request on behalf of the
user/gadget and all that is left if for the RSS feed server to handle
the signed fetch, verify the signature and return the results

http://www.opensocial.org/Technical-Resources/opensocial-spec-v08/gadgets-reference08#gadgets.io.makeRequest

davep

On Fri, Oct 3, 2008 at 6:46 AM,  <da...@leroymerlin.fr> wrote:
> Ok, i begin to understand what OAuth is used for.... and i think it's not
> really what i need....
>
> Let's reexplain :
>
> I have a portal that can hold shindig gadgets (not social, for instance an
> RSS reader). The portal itself serves RSS feed that are protected resources.
> When i want to present a RSS gadget that use a reentrant RSS feed, how can
> shindig proxy bind the portal credentials throw a makeRequest call ?
>
> Let's see an example :
>
> http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that only
> me can see
>
> http://myportal/site/mydashboard is a collection of RSS Feeds gadgets and
> one of this gadget points to the precedent feed.
>
> In this case, the portal (the container) renders an iframe with the RSS
> gadget that calls gadgets.io.makeRequest method that binds to the
> makeRequest servlet of shindig.
>
> But how can the shindig servlet authentify itself as the same user of the
> portal (me) ?
>
> Thx for the explanations
>
>
>
>
>
> Le 2 oct. 08 à 11:59, Ian Boston a écrit :
>
>> My understanding of CAS is that is that its a WebISO type Authentication
>> System between browser and server, uses browser redirects to a central CAS
>> server for authenticating the user and then redirects back to the target
>> application. I cant remember if there is a server to server credential
>> exchange or if all credential exchange is via the browser (like WebAuth).
>>
>> OAuth is a server to server authorization mechanism that allows a User the
>> ability to grant a server to talk to another server and perform specific
>> operations. eg MySpace can display your Flickr album once you have told
>> Flickr that its Ok, and transported the OAuth token back from Flickr to
>> MySpace so that the MySpace servers can contact the Flickr web service
>> directly.
>>
>>
>> So Shindig + CAS.
>>
>> Shingid itself doesn't authenticate the User, as its only re reference
>> implementation of the standard and not a full blown Social Network
>> Application. To make Shindig embedded into an application you would put a
>> CAS filter (either at mod_cas, or as a Servlet Filter) over the URLs that
>> need protecting, probably just the social-api urls.
>>
>> Then in your implementation of the Service Provider Interfaces you would
>> bind to the CAS credentials and use that to ensure that the service requests
>> from the social API are bound to the logged in user attached to the request
>> thread.
>>
>> Does that make sense, if not say and I can point you to the code that you
>> need to implement.
>>
>> Ian
>>
>> On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr>
>> <da...@leroymerlin.fr> wrote:
>>
>>> Hello,
>>>
>>> I'm developping a portal on top of an Open source ECM solution. This
>>> portal embeds shindig to serve opensocial gadgets.
>>>
>>> The portal is CAS compliant. Our problem is that when a gadget (for
>>> instance an RSS Reader) wants to access RSS Feed on this portal,
>>> shindig doesn't have the credentials to make the proxied request.
>>>
>>> I'm trying to explore the authentication mechanism of shindig, but if
>>> someone has any advice for me (where to begin ? OAuth explanation
>>> etc...) it would be great !
>>>
>>> --
>>> Damien METZLER
>>>
>>>
>>>
>>>
>>> Ce message et toutes les pièces jointes sont établis à l'attention
>>> exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce
>>> message par erreur, merci de le détruire et d'en avertir immédiatement
>>> l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce
>>> message, le contenu de ce message ne représente en aucun cas un engagement
>>> de la part de Leroy Merlin.
>>>
>>
>
> --
> Damien METZLER
> SIF - Leroy Merlin France - Tel : 03 28 80 89 03
>
>

RE: CAS Portal with Shindig

["Parrott, Justin" <JP...@medplus.com>]

What I was going to do was set up a DB that has a list of the gadget links and size dimensions based off of the user's preferences and just call that.

-----Original Message-----
From: damien.metzler@leroymerlin.fr [mailto:damien.metzler@leroymerlin.fr] 
Sent: Friday, October 03, 2008 9:47 AM
To: shindig-dev@incubator.apache.org
Subject: Re: CAS Portal with Shindig

Ok, i begin to understand what OAuth is used for.... and i think it's  
not really what i need....

Let's reexplain :

I have a portal that can hold shindig gadgets (not social, for  
instance an RSS reader). The portal itself serves RSS feed that are  
protected resources.
When i want to present a RSS gadget that use a reentrant RSS feed, how  
can shindig proxy bind the portal credentials throw a makeRequest call ?

Let's see an example :

http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that  
only me can see

http://myportal/site/mydashboard is a collection of RSS Feeds gadgets  
and one of this gadget points to the precedent feed.

In this case, the portal (the container) renders an iframe with the  
RSS gadget that calls gadgets.io.makeRequest method that binds to the  
makeRequest servlet of shindig.

But how can the shindig servlet authentify itself as the same user of  
the portal (me) ?

Thx for the explanations





Le 2 oct. 08 à 11:59, Ian Boston a écrit :

> My understanding of CAS is that is that its a WebISO type  
> Authentication System between browser and server, uses browser  
> redirects to a central CAS server for authenticating the user and  
> then redirects back to the target application. I cant remember if  
> there is a server to server credential exchange or if all credential  
> exchange is via the browser (like WebAuth).
>
> OAuth is a server to server authorization mechanism that allows a  
> User the ability to grant a server to talk to another server and  
> perform specific operations. eg MySpace can display your Flickr  
> album once you have told Flickr that its Ok, and transported the  
> OAuth token back from Flickr to MySpace so that the MySpace servers  
> can contact the Flickr web service directly.
>
>
> So Shindig + CAS.
>
> Shingid itself doesn't authenticate the User, as its only re  
> reference implementation of the standard and not a full blown Social  
> Network Application. To make Shindig embedded into an application  
> you would put a CAS filter (either at mod_cas, or as a Servlet  
> Filter) over the URLs that need protecting, probably just the social- 
> api urls.
>
> Then in your implementation of the Service Provider Interfaces you  
> would bind to the CAS credentials and use that to ensure that the  
> service requests from the social API are bound to the logged in user  
> attached to the request thread.
>
> Does that make sense, if not say and I can point you to the code  
> that you need to implement.
>
> Ian
>
> On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr> <damien.metzler@leroymerlin.fr 
> > wrote:
>
>> Hello,
>>
>> I'm developping a portal on top of an Open source ECM solution. This
>> portal embeds shindig to serve opensocial gadgets.
>>
>> The portal is CAS compliant. Our problem is that when a gadget (for
>> instance an RSS Reader) wants to access RSS Feed on this portal,
>> shindig doesn't have the credentials to make the proxied request.
>>
>> I'm trying to explore the authentication mechanism of shindig, but if
>> someone has any advice for me (where to begin ? OAuth explanation
>> etc...) it would be great !
>>
>> --
>> Damien METZLER
>>
>>
>>
>>
>> Ce message et toutes les pièces jointes sont établis à l'attention  
>> exclusive de leurs destinataires et sont confidentiels. Si vous  
>> recevez ce message par erreur, merci de le détruire et d'en avertir  
>> immédiatement l'expéditeur. L'internet ne permettant pas d'assurer  
>> l'intégrité de ce message, le contenu de ce message ne représente  
>> en aucun cas un engagement de la part de Leroy Merlin.
>>
>

--
Damien METZLER
SIF - Leroy Merlin France - Tel : 03 28 80 89 03











Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster@MedPlus.com). After replying, please erase it from your computer system.

Re: CAS Portal with Shindig

[Ian Boston <ie...@tfd.co.uk>]

Assuming that the iframe and the container point to the same server,  
both will or should come under the same authentication scheme.

I would expect that the user ID is stored in a session object, after  
authentication has been performed. Session objects are usually  
identified by a session cookie on each request, so the iframe and the  
container both send the same cookie back to the shindig server.

However.
If the iframe is not coming from the same server as the container,  
then they will need to sign into both server.... unless both servers  
are configured with CAS and there is no prompt required once you have  
logged into the container.


Ian

On 3 Oct 2008, at 14:46, <da...@leroymerlin.fr> wrote:

> But how can the shindig servlet authentify itself as the same user  
> of the portal (me) ?

Re: CAS Portal with Shindig

[da...@leroymerlin.fr]

Ok, i begin to understand what OAuth is used for.... and i think it's  
not really what i need....

Let's reexplain :

I have a portal that can hold shindig gadgets (not social, for  
instance an RSS reader). The portal itself serves RSS feed that are  
protected resources.
When i want to present a RSS gadget that use a reentrant RSS feed, how  
can shindig proxy bind the portal credentials throw a makeRequest call ?

Let's see an example :

http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that  
only me can see

http://myportal/site/mydashboard is a collection of RSS Feeds gadgets  
and one of this gadget points to the precedent feed.

In this case, the portal (the container) renders an iframe with the  
RSS gadget that calls gadgets.io.makeRequest method that binds to the  
makeRequest servlet of shindig.

But how can the shindig servlet authentify itself as the same user of  
the portal (me) ?

Thx for the explanations





Le 2 oct. 08 à 11:59, Ian Boston a écrit :

> My understanding of CAS is that is that its a WebISO type  
> Authentication System between browser and server, uses browser  
> redirects to a central CAS server for authenticating the user and  
> then redirects back to the target application. I cant remember if  
> there is a server to server credential exchange or if all credential  
> exchange is via the browser (like WebAuth).
>
> OAuth is a server to server authorization mechanism that allows a  
> User the ability to grant a server to talk to another server and  
> perform specific operations. eg MySpace can display your Flickr  
> album once you have told Flickr that its Ok, and transported the  
> OAuth token back from Flickr to MySpace so that the MySpace servers  
> can contact the Flickr web service directly.
>
>
> So Shindig + CAS.
>
> Shingid itself doesn't authenticate the User, as its only re  
> reference implementation of the standard and not a full blown Social  
> Network Application. To make Shindig embedded into an application  
> you would put a CAS filter (either at mod_cas, or as a Servlet  
> Filter) over the URLs that need protecting, probably just the social- 
> api urls.
>
> Then in your implementation of the Service Provider Interfaces you  
> would bind to the CAS credentials and use that to ensure that the  
> service requests from the social API are bound to the logged in user  
> attached to the request thread.
>
> Does that make sense, if not say and I can point you to the code  
> that you need to implement.
>
> Ian
>
> On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr> <damien.metzler@leroymerlin.fr 
> > wrote:
>
>> Hello,
>>
>> I'm developping a portal on top of an Open source ECM solution. This
>> portal embeds shindig to serve opensocial gadgets.
>>
>> The portal is CAS compliant. Our problem is that when a gadget (for
>> instance an RSS Reader) wants to access RSS Feed on this portal,
>> shindig doesn't have the credentials to make the proxied request.
>>
>> I'm trying to explore the authentication mechanism of shindig, but if
>> someone has any advice for me (where to begin ? OAuth explanation
>> etc...) it would be great !
>>
>> --
>> Damien METZLER
>>
>>
>>
>>
>> Ce message et toutes les pièces jointes sont établis à l'attention  
>> exclusive de leurs destinataires et sont confidentiels. Si vous  
>> recevez ce message par erreur, merci de le détruire et d'en avertir  
>> immédiatement l'expéditeur. L'internet ne permettant pas d'assurer  
>> l'intégrité de ce message, le contenu de ce message ne représente  
>> en aucun cas un engagement de la part de Leroy Merlin.
>>
>

--
Damien METZLER
SIF - Leroy Merlin France - Tel : 03 28 80 89 03

Re: CAS Portal with Shindig

[Ian Boston <ie...@tfd.co.uk>]

My understanding of CAS is that is that its a WebISO type  
Authentication System between browser and server, uses browser  
redirects to a central CAS server for authenticating the user and  
then redirects back to the target application. I cant remember if  
there is a server to server credential exchange or if all credential  
exchange is via the browser (like WebAuth).

OAuth is a server to server authorization mechanism that allows a  
User the ability to grant a server to talk to another server and  
perform specific operations. eg MySpace can display your Flickr album  
once you have told Flickr that its Ok, and transported the OAuth  
token back from Flickr to MySpace so that the MySpace servers can  
contact the Flickr web service directly.


So Shindig + CAS.

Shingid itself doesn't authenticate the User, as its only re  
reference implementation of the standard and not a full blown Social  
Network Application. To make Shindig embedded into an application you  
would put a CAS filter (either at mod_cas, or as a Servlet Filter)  
over the URLs that need protecting, probably just the social-api urls.

Then in your implementation of the Service Provider Interfaces you  
would bind to the CAS credentials and use that to ensure that the  
service requests from the social API are bound to the logged in user  
attached to the request thread.

Does that make sense, if not say and I can point you to the code that  
you need to implement.

Ian

On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr>  
<da...@leroymerlin.fr> wrote:

> Hello,
>
> I'm developping a portal on top of an Open source ECM solution. This
> portal embeds shindig to serve opensocial gadgets.
>
> The portal is CAS compliant. Our problem is that when a gadget (for
> instance an RSS Reader) wants to access RSS Feed on this portal,
> shindig doesn't have the credentials to make the proxied request.
>
> I'm trying to explore the authentication mechanism of shindig, but if
> someone has any advice for me (where to begin ? OAuth explanation
> etc...) it would be great !
>
> --
> Damien METZLER
>
>
>
>
> Ce message et toutes les pièces jointes sont établis à l'attention  
> exclusive de leurs destinataires et sont confidentiels. Si vous  
> recevez ce message par erreur, merci de le détruire et d'en avertir  
> immédiatement l'expéditeur. L'internet ne permettant pas d'assurer  
> l'intégrité de ce message, le contenu de ce message ne représente  
> en aucun cas un engagement de la part de Leroy Merlin.
>