You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by da...@leroymerlin.fr on 2008/10/02 10:45:58 UTC
CAS Portal with Shindig
Hello,
I'm developping a portal on top of an Open source ECM solution. This
portal embeds shindig to serve opensocial gadgets.
The portal is CAS compliant. Our problem is that when a gadget (for
instance an RSS Reader) wants to access RSS Feed on this portal,
shindig doesn't have the credentials to make the proxied request.
I'm trying to explore the authentication mechanism of shindig, but if
someone has any advice for me (where to begin ? OAuth explanation
etc...) it would be great !
--
Damien METZLER
Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Leroy Merlin.
Re: CAS Portal with Shindig
Posted by David Primmer <da...@gmail.com>.
I think what you want to do is use signed fetch - a feature of the
gadget server, but this starts by using gadget security tokens with
your container. Your gadget container should put the id of the logged
in user in the gadget token and includes it in the iframe urls when it
is serving your container page. This token is included when a gadget
does a makeRequest call to get the RSS feed. This is security token is
then available in the gadget server when it receives the makeRequest
call and can send those attributes along to the RSS server in a singed
fetch. The gadget server signs the values that were once in the
security token but are now included as url parameters in a signed
fetch. The gadget server makes the request on behalf of the
user/gadget and all that is left if for the RSS feed server to handle
the signed fetch, verify the signature and return the results
http://www.opensocial.org/Technical-Resources/opensocial-spec-v08/gadgets-reference08#gadgets.io.makeRequest
davep
On Fri, Oct 3, 2008 at 6:46 AM, <da...@leroymerlin.fr> wrote:
> Ok, i begin to understand what OAuth is used for.... and i think it's not
> really what i need....
>
> Let's reexplain :
>
> I have a portal that can hold shindig gadgets (not social, for instance an
> RSS reader). The portal itself serves RSS feed that are protected resources.
> When i want to present a RSS gadget that use a reentrant RSS feed, how can
> shindig proxy bind the portal credentials throw a makeRequest call ?
>
> Let's see an example :
>
> http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that only
> me can see
>
> http://myportal/site/mydashboard is a collection of RSS Feeds gadgets and
> one of this gadget points to the precedent feed.
>
> In this case, the portal (the container) renders an iframe with the RSS
> gadget that calls gadgets.io.makeRequest method that binds to the
> makeRequest servlet of shindig.
>
> But how can the shindig servlet authentify itself as the same user of the
> portal (me) ?
>
> Thx for the explanations
>
>
>
>
>
> Le 2 oct. 08 à 11:59, Ian Boston a écrit :
>
>> My understanding of CAS is that is that its a WebISO type Authentication
>> System between browser and server, uses browser redirects to a central CAS
>> server for authenticating the user and then redirects back to the target
>> application. I cant remember if there is a server to server credential
>> exchange or if all credential exchange is via the browser (like WebAuth).
>>
>> OAuth is a server to server authorization mechanism that allows a User the
>> ability to grant a server to talk to another server and perform specific
>> operations. eg MySpace can display your Flickr album once you have told
>> Flickr that its Ok, and transported the OAuth token back from Flickr to
>> MySpace so that the MySpace servers can contact the Flickr web service
>> directly.
>>
>>
>> So Shindig + CAS.
>>
>> Shingid itself doesn't authenticate the User, as its only re reference
>> implementation of the standard and not a full blown Social Network
>> Application. To make Shindig embedded into an application you would put a
>> CAS filter (either at mod_cas, or as a Servlet Filter) over the URLs that
>> need protecting, probably just the social-api urls.
>>
>> Then in your implementation of the Service Provider Interfaces you would
>> bind to the CAS credentials and use that to ensure that the service requests
>> from the social API are bound to the logged in user attached to the request
>> thread.
>>
>> Does that make sense, if not say and I can point you to the code that you
>> need to implement.
>>
>> Ian
>>
>> On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr>
>> <da...@leroymerlin.fr> wrote:
>>
>>> Hello,
>>>
>>> I'm developping a portal on top of an Open source ECM solution. This
>>> portal embeds shindig to serve opensocial gadgets.
>>>
>>> The portal is CAS compliant. Our problem is that when a gadget (for
>>> instance an RSS Reader) wants to access RSS Feed on this portal,
>>> shindig doesn't have the credentials to make the proxied request.
>>>
>>> I'm trying to explore the authentication mechanism of shindig, but if
>>> someone has any advice for me (where to begin ? OAuth explanation
>>> etc...) it would be great !
>>>
>>> --
>>> Damien METZLER
>>>
>>>
>>>
>>>
>>> Ce message et toutes les pièces jointes sont établis à l'attention
>>> exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce
>>> message par erreur, merci de le détruire et d'en avertir immédiatement
>>> l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce
>>> message, le contenu de ce message ne représente en aucun cas un engagement
>>> de la part de Leroy Merlin.
>>>
>>
>
> --
> Damien METZLER
> SIF - Leroy Merlin France - Tel : 03 28 80 89 03
>
>
RE: CAS Portal with Shindig
Posted by "Parrott, Justin" <JP...@medplus.com>.
What I was going to do was set up a DB that has a list of the gadget links and size dimensions based off of the user's preferences and just call that.
-----Original Message-----
From: damien.metzler@leroymerlin.fr [mailto:damien.metzler@leroymerlin.fr]
Sent: Friday, October 03, 2008 9:47 AM
To: shindig-dev@incubator.apache.org
Subject: Re: CAS Portal with Shindig
Ok, i begin to understand what OAuth is used for.... and i think it's
not really what i need....
Let's reexplain :
I have a portal that can hold shindig gadgets (not social, for
instance an RSS reader). The portal itself serves RSS feed that are
protected resources.
When i want to present a RSS gadget that use a reentrant RSS feed, how
can shindig proxy bind the portal credentials throw a makeRequest call ?
Let's see an example :
http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that
only me can see
http://myportal/site/mydashboard is a collection of RSS Feeds gadgets
and one of this gadget points to the precedent feed.
In this case, the portal (the container) renders an iframe with the
RSS gadget that calls gadgets.io.makeRequest method that binds to the
makeRequest servlet of shindig.
But how can the shindig servlet authentify itself as the same user of
the portal (me) ?
Thx for the explanations
Le 2 oct. 08 à 11:59, Ian Boston a écrit :
> My understanding of CAS is that is that its a WebISO type
> Authentication System between browser and server, uses browser
> redirects to a central CAS server for authenticating the user and
> then redirects back to the target application. I cant remember if
> there is a server to server credential exchange or if all credential
> exchange is via the browser (like WebAuth).
>
> OAuth is a server to server authorization mechanism that allows a
> User the ability to grant a server to talk to another server and
> perform specific operations. eg MySpace can display your Flickr
> album once you have told Flickr that its Ok, and transported the
> OAuth token back from Flickr to MySpace so that the MySpace servers
> can contact the Flickr web service directly.
>
>
> So Shindig + CAS.
>
> Shingid itself doesn't authenticate the User, as its only re
> reference implementation of the standard and not a full blown Social
> Network Application. To make Shindig embedded into an application
> you would put a CAS filter (either at mod_cas, or as a Servlet
> Filter) over the URLs that need protecting, probably just the social-
> api urls.
>
> Then in your implementation of the Service Provider Interfaces you
> would bind to the CAS credentials and use that to ensure that the
> service requests from the social API are bound to the logged in user
> attached to the request thread.
>
> Does that make sense, if not say and I can point you to the code
> that you need to implement.
>
> Ian
>
> On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr> <damien.metzler@leroymerlin.fr
> > wrote:
>
>> Hello,
>>
>> I'm developping a portal on top of an Open source ECM solution. This
>> portal embeds shindig to serve opensocial gadgets.
>>
>> The portal is CAS compliant. Our problem is that when a gadget (for
>> instance an RSS Reader) wants to access RSS Feed on this portal,
>> shindig doesn't have the credentials to make the proxied request.
>>
>> I'm trying to explore the authentication mechanism of shindig, but if
>> someone has any advice for me (where to begin ? OAuth explanation
>> etc...) it would be great !
>>
>> --
>> Damien METZLER
>>
>>
>>
>>
>> Ce message et toutes les pièces jointes sont établis à l'attention
>> exclusive de leurs destinataires et sont confidentiels. Si vous
>> recevez ce message par erreur, merci de le détruire et d'en avertir
>> immédiatement l'expéditeur. L'internet ne permettant pas d'assurer
>> l'intégrité de ce message, le contenu de ce message ne représente
>> en aucun cas un engagement de la part de Leroy Merlin.
>>
>
--
Damien METZLER
SIF - Leroy Merlin France - Tel : 03 28 80 89 03
Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster@MedPlus.com). After replying, please erase it from your computer system.
Re: CAS Portal with Shindig
Posted by Ian Boston <ie...@tfd.co.uk>.
Assuming that the iframe and the container point to the same server,
both will or should come under the same authentication scheme.
I would expect that the user ID is stored in a session object, after
authentication has been performed. Session objects are usually
identified by a session cookie on each request, so the iframe and the
container both send the same cookie back to the shindig server.
However.
If the iframe is not coming from the same server as the container,
then they will need to sign into both server.... unless both servers
are configured with CAS and there is no prompt required once you have
logged into the container.
Ian
On 3 Oct 2008, at 14:46, <da...@leroymerlin.fr> wrote:
> But how can the shindig servlet authentify itself as the same user
> of the portal (me) ?
Re: CAS Portal with Shindig
Posted by da...@leroymerlin.fr.
Ok, i begin to understand what OAuth is used for.... and i think it's
not really what i need....
Let's reexplain :
I have a portal that can hold shindig gadgets (not social, for
instance an RSS reader). The portal itself serves RSS feed that are
protected resources.
When i want to present a RSS gadget that use a reentrant RSS feed, how
can shindig proxy bind the portal credentials throw a makeRequest call ?
Let's see an example :
http//myportal/site/veryprivatedocs/globalEarnings.rss is a feed that
only me can see
http://myportal/site/mydashboard is a collection of RSS Feeds gadgets
and one of this gadget points to the precedent feed.
In this case, the portal (the container) renders an iframe with the
RSS gadget that calls gadgets.io.makeRequest method that binds to the
makeRequest servlet of shindig.
But how can the shindig servlet authentify itself as the same user of
the portal (me) ?
Thx for the explanations
Le 2 oct. 08 à 11:59, Ian Boston a écrit :
> My understanding of CAS is that is that its a WebISO type
> Authentication System between browser and server, uses browser
> redirects to a central CAS server for authenticating the user and
> then redirects back to the target application. I cant remember if
> there is a server to server credential exchange or if all credential
> exchange is via the browser (like WebAuth).
>
> OAuth is a server to server authorization mechanism that allows a
> User the ability to grant a server to talk to another server and
> perform specific operations. eg MySpace can display your Flickr
> album once you have told Flickr that its Ok, and transported the
> OAuth token back from Flickr to MySpace so that the MySpace servers
> can contact the Flickr web service directly.
>
>
> So Shindig + CAS.
>
> Shingid itself doesn't authenticate the User, as its only re
> reference implementation of the standard and not a full blown Social
> Network Application. To make Shindig embedded into an application
> you would put a CAS filter (either at mod_cas, or as a Servlet
> Filter) over the URLs that need protecting, probably just the social-
> api urls.
>
> Then in your implementation of the Service Provider Interfaces you
> would bind to the CAS credentials and use that to ensure that the
> service requests from the social API are bound to the logged in user
> attached to the request thread.
>
> Does that make sense, if not say and I can point you to the code
> that you need to implement.
>
> Ian
>
> On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr> <damien.metzler@leroymerlin.fr
> > wrote:
>
>> Hello,
>>
>> I'm developping a portal on top of an Open source ECM solution. This
>> portal embeds shindig to serve opensocial gadgets.
>>
>> The portal is CAS compliant. Our problem is that when a gadget (for
>> instance an RSS Reader) wants to access RSS Feed on this portal,
>> shindig doesn't have the credentials to make the proxied request.
>>
>> I'm trying to explore the authentication mechanism of shindig, but if
>> someone has any advice for me (where to begin ? OAuth explanation
>> etc...) it would be great !
>>
>> --
>> Damien METZLER
>>
>>
>>
>>
>> Ce message et toutes les pièces jointes sont établis à l'attention
>> exclusive de leurs destinataires et sont confidentiels. Si vous
>> recevez ce message par erreur, merci de le détruire et d'en avertir
>> immédiatement l'expéditeur. L'internet ne permettant pas d'assurer
>> l'intégrité de ce message, le contenu de ce message ne représente
>> en aucun cas un engagement de la part de Leroy Merlin.
>>
>
--
Damien METZLER
SIF - Leroy Merlin France - Tel : 03 28 80 89 03
Re: CAS Portal with Shindig
Posted by Ian Boston <ie...@tfd.co.uk>.
My understanding of CAS is that is that its a WebISO type
Authentication System between browser and server, uses browser
redirects to a central CAS server for authenticating the user and
then redirects back to the target application. I cant remember if
there is a server to server credential exchange or if all credential
exchange is via the browser (like WebAuth).
OAuth is a server to server authorization mechanism that allows a
User the ability to grant a server to talk to another server and
perform specific operations. eg MySpace can display your Flickr album
once you have told Flickr that its Ok, and transported the OAuth
token back from Flickr to MySpace so that the MySpace servers can
contact the Flickr web service directly.
So Shindig + CAS.
Shingid itself doesn't authenticate the User, as its only re
reference implementation of the standard and not a full blown Social
Network Application. To make Shindig embedded into an application you
would put a CAS filter (either at mod_cas, or as a Servlet Filter)
over the URLs that need protecting, probably just the social-api urls.
Then in your implementation of the Service Provider Interfaces you
would bind to the CAS credentials and use that to ensure that the
service requests from the social API are bound to the logged in user
attached to the request thread.
Does that make sense, if not say and I can point you to the code that
you need to implement.
Ian
On 2 Oct 2008, at 09:45, <da...@leroymerlin.fr>
<da...@leroymerlin.fr> wrote:
> Hello,
>
> I'm developping a portal on top of an Open source ECM solution. This
> portal embeds shindig to serve opensocial gadgets.
>
> The portal is CAS compliant. Our problem is that when a gadget (for
> instance an RSS Reader) wants to access RSS Feed on this portal,
> shindig doesn't have the credentials to make the proxied request.
>
> I'm trying to explore the authentication mechanism of shindig, but if
> someone has any advice for me (where to begin ? OAuth explanation
> etc...) it would be great !
>
> --
> Damien METZLER
>
>
>
>
> Ce message et toutes les pièces jointes sont établis à l'attention
> exclusive de leurs destinataires et sont confidentiels. Si vous
> recevez ce message par erreur, merci de le détruire et d'en avertir
> immédiatement l'expéditeur. L'internet ne permettant pas d'assurer
> l'intégrité de ce message, le contenu de ce message ne représente
> en aucun cas un engagement de la part de Leroy Merlin.
>