You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by daviesd <da...@oclc.org> on 2011/08/03 21:51:29 UTC
Allow Unauthenticated
I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
from being made unless shindig.auth.updateSecurityToken has been called. If
I enable secure tokens and I set the token to something in clear text, it
denies the rpc requests as it should. Providing the encrypted token then
works. However if I don¹t call updateSecurityToken at all then it uses the
AnonymousSecurityToken and the call succeeds. I don¹t want this.
I tried setting
shindig.allowUnauthenticated=false
In shindig.properties thinking this would enforce this, it appears to be
used inside on AnonymousSecurityToken.
Ideas?
Doug
Re: Allow Unauthenticated
Posted by daviesd <da...@oclc.org>.
Argh! Has anyone else worked around this issue? I'll see about providing a
patch.
doug
On 8/3/11 5:05 PM, "Henry Saputra" <he...@gmail.com> wrote:
> Ah yes, looks like issue SHINDIG-1454 =(
> I was trying it with REST call, sorry.
>
> However as issue SHINDIG-1455 mentioned, turning off Anonymous ST will
> make osapi libs do not load properly.
>
> - Henry
>
> 2011/8/3 daviesd <da...@oclc.org>:
>> Hmmm... good observation. However, I switched them around, still no
>> success... I wonder if this has to do with
>>
>> https://issues.apache.org/jira/browse/SHINDIG-1454
>> and
>> https://issues.apache.org/jira/browse/SHINDIG-1455
>>
>> doug
>>
>> On 8/3/11 4:34 PM, "Henry Saputra" <he...@gmail.com> wrote:
>>
>>> Its happening in the code. See SocialApiGuiceModule class:
>>>
>>> public class SocialApiGuiceModule extends AbstractModule {
>>>
>>> ? /** {@inheritDoc} */
>>> ? @Override
>>> ? protected void configure() {
>>>
>>>
bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet")>>>
)
>>> ? ? ? ? .to(DataServiceServletFetcher.class);
>>>
>>> ? ? bind(Boolean.class)
>>>
>>> .annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICA
>>> TE
>>> D))
>>> ? ? ? ? .toInstance(Boolean.TRUE);
>>>
>>>
>>> Since the SocialApiGuiceModule is listed later than PropertiesModule,
>>> it overrides the binding of the shindig.allowUnauthenticated property.
>>>
>>> - Henry
>>>
>>> On Wed, Aug 3, 2011 at 12:51 PM, daviesd <da...@oclc.org> wrote:
>>>> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
>>>> from being made unless shindig.auth.updateSecurityToken has been called.
>>>> ?If
>>>> I enable secure tokens and I set the token to something in clear text, it
>>>> denies the rpc requests as it should. ?Providing the encrypted token then
>>>> works. ?However if I don¹t call updateSecurityToken at all then it uses the
>>>> AnonymousSecurityToken and the call succeeds. ?I don¹t want this.
>>>>
>>>> I tried setting
>>>>
>>>> shindig.allowUnauthenticated=false
>>>>
>>>> In shindig.properties thinking this would enforce this, it appears to be
>>>> used inside on AnonymousSecurityToken.
>>>>
>>>> Ideas?
>>>>
>>>> Doug
>>>>
>>>>
>>>
>>
>>
>>
>
Re: Allow Unauthenticated
Posted by Henry Saputra <he...@gmail.com>.
Ah yes, looks like issue SHINDIG-1454 =(
I was trying it with REST call, sorry.
However as issue SHINDIG-1455 mentioned, turning off Anonymous ST will
make osapi libs do not load properly.
- Henry
2011/8/3 daviesd <da...@oclc.org>:
> Hmmm... good observation. However, I switched them around, still no
> success... I wonder if this has to do with
>
> https://issues.apache.org/jira/browse/SHINDIG-1454
> and
> https://issues.apache.org/jira/browse/SHINDIG-1455
>
> doug
>
> On 8/3/11 4:34 PM, "Henry Saputra" <he...@gmail.com> wrote:
>
>> Its happening in the code. See SocialApiGuiceModule class:
>>
>> public class SocialApiGuiceModule extends AbstractModule {
>>
>> /** {@inheritDoc} */
>> @Override
>> protected void configure() {
>>
>> bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet"))
>> .to(DataServiceServletFetcher.class);
>>
>> bind(Boolean.class)
>>
>> .annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICATE
>> D))
>> .toInstance(Boolean.TRUE);
>>
>>
>> Since the SocialApiGuiceModule is listed later than PropertiesModule,
>> it overrides the binding of the shindig.allowUnauthenticated property.
>>
>> - Henry
>>
>> On Wed, Aug 3, 2011 at 12:51 PM, daviesd <da...@oclc.org> wrote:
>>> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
>>> from being made unless shindig.auth.updateSecurityToken has been called. ?If
>>> I enable secure tokens and I set the token to something in clear text, it
>>> denies the rpc requests as it should. ?Providing the encrypted token then
>>> works. ?However if I don¹t call updateSecurityToken at all then it uses the
>>> AnonymousSecurityToken and the call succeeds. ?I don¹t want this.
>>>
>>> I tried setting
>>>
>>> shindig.allowUnauthenticated=false
>>>
>>> In shindig.properties thinking this would enforce this, it appears to be
>>> used inside on AnonymousSecurityToken.
>>>
>>> Ideas?
>>>
>>> Doug
>>>
>>>
>>
>
>
>
Re: Allow Unauthenticated
Posted by daviesd <da...@oclc.org>.
Hmmm... good observation. However, I switched them around, still no
success... I wonder if this has to do with
https://issues.apache.org/jira/browse/SHINDIG-1454
and
https://issues.apache.org/jira/browse/SHINDIG-1455
doug
On 8/3/11 4:34 PM, "Henry Saputra" <he...@gmail.com> wrote:
> Its happening in the code. See SocialApiGuiceModule class:
>
> public class SocialApiGuiceModule extends AbstractModule {
>
> /** {@inheritDoc} */
> @Override
> protected void configure() {
>
> bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet"))
> .to(DataServiceServletFetcher.class);
>
> bind(Boolean.class)
>
> .annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICATE
> D))
> .toInstance(Boolean.TRUE);
>
>
> Since the SocialApiGuiceModule is listed later than PropertiesModule,
> it overrides the binding of the shindig.allowUnauthenticated property.
>
> - Henry
>
> On Wed, Aug 3, 2011 at 12:51 PM, daviesd <da...@oclc.org> wrote:
>> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
>> from being made unless shindig.auth.updateSecurityToken has been called. ?If
>> I enable secure tokens and I set the token to something in clear text, it
>> denies the rpc requests as it should. ?Providing the encrypted token then
>> works. ?However if I don¹t call updateSecurityToken at all then it uses the
>> AnonymousSecurityToken and the call succeeds. ?I don¹t want this.
>>
>> I tried setting
>>
>> shindig.allowUnauthenticated=false
>>
>> In shindig.properties thinking this would enforce this, it appears to be
>> used inside on AnonymousSecurityToken.
>>
>> Ideas?
>>
>> Doug
>>
>>
>
Re: Allow Unauthenticated
Posted by daviesd <da...@oclc.org>.
Henry,
Ya, even if I put the SocialApiGuiceModule before the PropertiesModule I
still see the constructor for AnonymousAuthenticationHandler getting
injected with the value of TRUE for allowUnauthenticated, even though I have
shindig.allowUnauthenticated=false
In my shindig.properties. Is this not what you were seeing?
doug
On 8/3/11 4:34 PM, "Henry Saputra" <he...@gmail.com> wrote:
> Its happening in the code. See SocialApiGuiceModule class:
>
> public class SocialApiGuiceModule extends AbstractModule {
>
> /** {@inheritDoc} */
> @Override
> protected void configure() {
>
> bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet"))
> .to(DataServiceServletFetcher.class);
>
> bind(Boolean.class)
>
> .annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICATE
> D))
> .toInstance(Boolean.TRUE);
>
>
> Since the SocialApiGuiceModule is listed later than PropertiesModule,
> it overrides the binding of the shindig.allowUnauthenticated property.
>
> - Henry
>
> On Wed, Aug 3, 2011 at 12:51 PM, daviesd <da...@oclc.org> wrote:
>> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
>> from being made unless shindig.auth.updateSecurityToken has been called. ?If
>> I enable secure tokens and I set the token to something in clear text, it
>> denies the rpc requests as it should. ?Providing the encrypted token then
>> works. ?However if I don¹t call updateSecurityToken at all then it uses the
>> AnonymousSecurityToken and the call succeeds. ?I don¹t want this.
>>
>> I tried setting
>>
>> shindig.allowUnauthenticated=false
>>
>> In shindig.properties thinking this would enforce this, it appears to be
>> used inside on AnonymousSecurityToken.
>>
>> Ideas?
>>
>> Doug
>>
>>
>
Re: Allow Unauthenticated
Posted by Henry Saputra <he...@gmail.com>.
Its happening in the code. See SocialApiGuiceModule class:
public class SocialApiGuiceModule extends AbstractModule {
/** {@inheritDoc} */
@Override
protected void configure() {
bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet"))
.to(DataServiceServletFetcher.class);
bind(Boolean.class)
.annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICATED))
.toInstance(Boolean.TRUE);
Since the SocialApiGuiceModule is listed later than PropertiesModule,
it overrides the binding of the shindig.allowUnauthenticated property.
- Henry
On Wed, Aug 3, 2011 at 12:51 PM, daviesd <da...@oclc.org> wrote:
> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
> from being made unless shindig.auth.updateSecurityToken has been called. If
> I enable secure tokens and I set the token to something in clear text, it
> denies the rpc requests as it should. Providing the encrypted token then
> works. However if I don¹t call updateSecurityToken at all then it uses the
> AnonymousSecurityToken and the call succeeds. I don¹t want this.
>
> I tried setting
>
> shindig.allowUnauthenticated=false
>
> In shindig.properties thinking this would enforce this, it appears to be
> used inside on AnonymousSecurityToken.
>
> Ideas?
>
> Doug
>
>