You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by et...@apache.org on 2008/01/20 10:57:16 UTC
svn commit: r613526 - in
/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets:
BasicGadgetSigner.java BasicGadgetToken.java GadgetException.java
GadgetSigner.java GadgetToken.java http/ProxyHandler.java
http/ProxyServlet.java
Author: etnu
Date: Sun Jan 20 01:57:15 2008
New Revision: 613526
URL: http://svn.apache.org/viewvc?rev=613526&view=rev
Log:
Initial commit of unified gadget token support, with a very primitive reference implementation and integrated support for using the token in ProxyServlet.
Added:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetSigner.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetToken.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSigner.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetToken.java
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyHandler.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyServlet.java
Added: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetSigner.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetSigner.java?rev=613526&view=auto
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetSigner.java (added)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetSigner.java Sun Jan 20 01:57:15 2008
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shindig.gadgets;
+
+/**
+ * A GadgetSigner implementation that just provides dummy data to satisfy
+ * tests and API calls. Do not use this for any security applications.
+ */
+public class BasicGadgetSigner implements GadgetSigner {
+ private final long timeToLive;
+
+ /**
+ * {@inheritDoc}
+ */
+ public GadgetToken createToken(Gadget gadget) {
+ String uri = gadget.getId().getURI().toString();
+ long expiry = System.currentTimeMillis() + this.timeToLive;
+ return new BasicGadgetToken(uri + '$' + expiry);
+ }
+
+ /**
+ * {@inheritDoc}
+ * This implementation only validates non-empty tokens. Empty tokens
+ * are considered to always be valid.
+ */
+ public GadgetToken createToken(String stringToken) throws GadgetException {
+ if (stringToken != null && stringToken.length() != 0) {
+ String[] parts = stringToken.split("\\$");
+ if (parts.length != 2) {
+ throw new GadgetException(GadgetException.Code.INVALID_GADGET_TOKEN,
+ "Invalid token format.");
+ }
+ long expiry = Long.parseLong(parts[1]);
+ if (expiry < System.currentTimeMillis()) {
+ throw new GadgetException(GadgetException.Code.INVALID_GADGET_TOKEN,
+ "Expired token.");
+ }
+ }
+ return new BasicGadgetToken(stringToken);
+ }
+
+ /**
+ * Create signer
+ * @param timeToLive
+ */
+ public BasicGadgetSigner(long timeToLive) {
+ this.timeToLive = timeToLive;
+ }
+
+ /**
+ * Creates a signer with 24 hour token expiry
+ */
+ public BasicGadgetSigner() {
+ this(24L * 60 * 60 * 1000);
+ }
+}
Added: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetToken.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetToken.java?rev=613526&view=auto
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetToken.java (added)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/BasicGadgetToken.java Sun Jan 20 01:57:15 2008
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shindig.gadgets;
+
+/**
+ * Primitive token implementation that uses stings as tokens.
+ */
+class BasicGadgetToken implements GadgetToken {
+ private final String token;
+
+ /**
+ * {@inheritDoc}
+ */
+ public String toSerialForm() {
+ return token;
+ }
+
+ /**
+ * Generates a token from an input string
+ * @param token
+ */
+ public BasicGadgetToken(String token) {
+ this.token = token;
+ }
+}
\ No newline at end of file
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java?rev=613526&r1=613525&r2=613526&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java Sun Jan 20 01:57:15 2008
@@ -28,6 +28,7 @@
// User-data related errors.
INVALID_USER_DATA,
+ INVALID_GADGET_TOKEN,
// General xml
EMPTY_XML_DOCUMENT,
Added: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSigner.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSigner.java?rev=613526&view=auto
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSigner.java (added)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSigner.java Sun Jan 20 01:57:15 2008
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shindig.gadgets;
+
+/**
+ * Handles generation of signing tokens for various request types.
+ * Implementations are free to define their own signing parameters in any
+ * way that is suitable for their site.
+ */
+public interface GadgetSigner {
+
+ /**
+ * Generates a token for the given gadget.
+ * Implementations should also add their own user-related context data
+ * to the token.
+ *
+ * @param gadget
+ * @return The token representation of the input data.
+ */
+ public GadgetToken createToken(Gadget gadget);
+
+ /**
+ * Generates a token from an input string. This call must produce a token that
+ * will validate against a token produced directly from a gadget so that the
+ * following function will always returns a valid GadgetToken:
+ *
+ * <code>
+ * GadgetToken testToken(Gadget gadget, GadgetSigner signer) {
+ * GadgetToken token = signer.createToken(gadget);
+ * return signer.createToken(token.toSerialForm());
+ * }
+ * </code>
+ *
+ * @param tokenString String representation of the token to be created.
+ * @return The token representation of the input data.
+ * @throws GadgetException If tokenString is not a valid token
+ */
+ public GadgetToken createToken(String tokenString) throws GadgetException;
+}
Added: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetToken.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetToken.java?rev=613526&view=auto
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetToken.java (added)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetToken.java Sun Jan 20 01:57:15 2008
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shindig.gadgets;
+
+/**
+ * An abstract representation of a signing token.
+ * Use in conjuction with @code GadgetSigner.
+ */
+public interface GadgetToken {
+
+ /**
+ * Serializes the token into a string. This can be the exact same as
+ * toString; using a different name here is only to force interface
+ * compliance.
+ *
+ * @return A string representation of the token.
+ */
+ public String toSerialForm();
+}
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyHandler.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyHandler.java?rev=613526&r1=613525&r2=613526&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyHandler.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyHandler.java Sun Jan 20 01:57:15 2008
@@ -1,23 +1,27 @@
/*
- * $Id$
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
*
- * Copyright 2007 The Apache Software Foundation
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
package org.apache.shindig.gadgets.http;
import org.apache.shindig.gadgets.BasicRemoteContentFetcher;
+import org.apache.shindig.gadgets.GadgetException;
+import org.apache.shindig.gadgets.GadgetSigner;
+import org.apache.shindig.gadgets.GadgetToken;
import org.apache.shindig.gadgets.RemoteContent;
import org.json.JSONException;
import org.json.JSONObject;
@@ -42,11 +46,14 @@
new BasicRemoteContentFetcher(MAX_PROXY_SIZE);
public void fetchJson(HttpServletRequest request,
- HttpServletResponse response)
+ HttpServletResponse response,
+ GadgetSigner signer)
throws ServletException, IOException {
- // TODO: If this request is coming in on a Host: that does not match
- // the configured gadget rendering host, we should check for edit tokens
- // somehow.
+
+ if (signer != null) {
+ // We're just going to toss away the token, but it should exist.
+ extractAndValidateToken(request, signer);
+ }
// Validate url= parameter
URL origin = extractAndValidateUrl(request);
@@ -73,8 +80,15 @@
}
public void fetch(HttpServletRequest request,
- HttpServletResponse response)
+ HttpServletResponse response,
+ GadgetSigner signer)
throws ServletException, IOException {
+
+ if (signer != null) {
+ // We're just going to toss away the token, but it should exist.
+ extractAndValidateToken(request, signer);
+ }
+
// Validate url= parameter
URL origin = extractAndValidateUrl(request);
@@ -130,6 +144,22 @@
throw new ServletException("Malformed url parameter");
}
return origin;
+ }
+
+ /**
+ * @return A valid token for the given input.
+ */
+ private GadgetToken extractAndValidateToken(HttpServletRequest request,
+ GadgetSigner signer) throws ServletException {
+ String token = request.getParameter("t");
+ if (token == null) {
+ token = "";
+ }
+ try {
+ return signer.createToken(token);
+ } catch (GadgetException e) {
+ throw new ServletException(e);
+ }
}
/**
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyServlet.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyServlet.java?rev=613526&r1=613525&r2=613526&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyServlet.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyServlet.java Sun Jan 20 01:57:15 2008
@@ -1,22 +1,26 @@
/*
- * $Id$
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
*
- * Copyright 2007 The Apache Software Foundation
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
package org.apache.shindig.gadgets.http;
+import org.apache.shindig.gadgets.BasicGadgetSigner;
+import org.apache.shindig.gadgets.GadgetSigner;
+
import java.io.IOException;
import javax.servlet.ServletException;
@@ -26,14 +30,32 @@
public class ProxyServlet extends HttpServlet {
private final static ProxyHandler handler = new ProxyHandler();
+ private final GadgetSigner signer;
+
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String output = request.getParameter("output");
if (output != null && output.equals("js")) {
- handler.fetchJson(request, response);
+ handler.fetchJson(request, response, signer);
} else {
- handler.fetch(request, response);
+ handler.fetch(request, response, signer);
}
+ }
+
+ /**
+ * Constructs a ProxyServlet with the default (non-secure) GadgetSigner.
+ */
+ public ProxyServlet() {
+ this(new BasicGadgetSigner());
+ }
+
+ /**
+ * Creates a ProxyServlet using the specified GadgetSigner.
+ *
+ * @param signer
+ */
+ public ProxyServlet(GadgetSigner signer) {
+ this.signer = signer;
}
}