You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Marshall Shi <sh...@cn.ibm.com> on 2013/01/09 02:22:35 UTC
Re: Review Request: Unable to force a token refresh on all gadget sites
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/8153/
-----------------------------------------------------------
(Updated Jan. 9, 2013, 1:22 a.m.)
Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
Description
-------
We have uncovered several use cases request that:
1. Container's abilty to require a ST for all gadgets and cause it to refresh
2. Container determines that all STs are invalid (e.g. the user logged out, SSO session times out, etc) ... should be able to force an immediate refresh to reflect the new log in state. where the container wants to force the use of STs on all requests.
However, there is no API in the container can call to force a refresh of all STs due to a change it knows about (change of logged in user) and if the gadget does not request the "auth-refresh" indirectly, shindig will not refresh its token.
related java code:
Boolean needsTokenRefresh =
isFieldIncluded(fields, "needstokenrefresh") ?
gadget.getAllFeatures().contains("auth-refresh") : null;
This patch is about:
1. update the container feature, export one api for container to be able to force token refresh on all sites. Update the feature.xml for container feature because it actually invoke the gadget rpc call "update_security_token" which resides in feature auth-refresh but it only have shindig-auth in its dependency, sometimes, when gadget doesn't explicitly require auth-refresh, it leads to the case that shindig will not refresh its token. change dependency to "security-token" which does not include much new feature dependency.
In addition, at server side when return the metadata, take "gadgets.uri.iframe.alwaysAppendSecurityToken" into consideration as well.
Original review request from EriK is https://reviews.apache.org/r/6724/.
This addresses bug shindig-1863.
https://issues.apache.org/jira/browse/shindig-1863
Diffs
-----
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/container.js 1383008
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/feature.xml 1383008
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerService.java 1383189
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerServiceTest.java 1383189
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerTest.java 1383189
Diff: https://reviews.apache.org/r/8153/diff/
Testing
-------
Thanks,
Marshall Shi
Re: Review Request: Unable to force a token refresh on all gadget sites
Posted by Ryan Baxter <rb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/8153/#review15313
-----------------------------------------------------------
Ship it!
Committed revision 1432956
- Ryan Baxter
On Jan. 9, 2013, 1:22 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/8153/
> -----------------------------------------------------------
>
> (Updated Jan. 9, 2013, 1:22 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> We have uncovered several use cases request that:
> 1. Container's abilty to require a ST for all gadgets and cause it to refresh
> 2. Container determines that all STs are invalid (e.g. the user logged out, SSO session times out, etc) ... should be able to force an immediate refresh to reflect the new log in state. where the container wants to force the use of STs on all requests.
>
> However, there is no API in the container can call to force a refresh of all STs due to a change it knows about (change of logged in user) and if the gadget does not request the "auth-refresh" indirectly, shindig will not refresh its token.
>
> related java code:
>
> Boolean needsTokenRefresh =
> isFieldIncluded(fields, "needstokenrefresh") ?
> gadget.getAllFeatures().contains("auth-refresh") : null;
>
> This patch is about:
> 1. update the container feature, export one api for container to be able to force token refresh on all sites. Update the feature.xml for container feature because it actually invoke the gadget rpc call "update_security_token" which resides in feature auth-refresh but it only have shindig-auth in its dependency, sometimes, when gadget doesn't explicitly require auth-refresh, it leads to the case that shindig will not refresh its token. change dependency to "security-token" which does not include much new feature dependency.
>
> In addition, at server side when return the metadata, take "gadgets.uri.iframe.alwaysAppendSecurityToken" into consideration as well.
>
>
> Original review request from EriK is https://reviews.apache.org/r/6724/.
>
>
> This addresses bug shindig-1863.
> https://issues.apache.org/jira/browse/shindig-1863
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/container.js 1383008
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/feature.xml 1383008
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerService.java 1383189
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerServiceTest.java 1383189
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerTest.java 1383189
>
> Diff: https://reviews.apache.org/r/8153/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Marshall Shi
>
>
Re: Review Request: Unable to force a token refresh on all gadget sites
Posted by Marshall Shi <sh...@cn.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/8153/#review15306
-----------------------------------------------------------
Call for review again!
- Marshall Shi
On Jan. 9, 2013, 1:22 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/8153/
> -----------------------------------------------------------
>
> (Updated Jan. 9, 2013, 1:22 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
>
>
> Description
> -------
>
> We have uncovered several use cases request that:
> 1. Container's abilty to require a ST for all gadgets and cause it to refresh
> 2. Container determines that all STs are invalid (e.g. the user logged out, SSO session times out, etc) ... should be able to force an immediate refresh to reflect the new log in state. where the container wants to force the use of STs on all requests.
>
> However, there is no API in the container can call to force a refresh of all STs due to a change it knows about (change of logged in user) and if the gadget does not request the "auth-refresh" indirectly, shindig will not refresh its token.
>
> related java code:
>
> Boolean needsTokenRefresh =
> isFieldIncluded(fields, "needstokenrefresh") ?
> gadget.getAllFeatures().contains("auth-refresh") : null;
>
> This patch is about:
> 1. update the container feature, export one api for container to be able to force token refresh on all sites. Update the feature.xml for container feature because it actually invoke the gadget rpc call "update_security_token" which resides in feature auth-refresh but it only have shindig-auth in its dependency, sometimes, when gadget doesn't explicitly require auth-refresh, it leads to the case that shindig will not refresh its token. change dependency to "security-token" which does not include much new feature dependency.
>
> In addition, at server side when return the metadata, take "gadgets.uri.iframe.alwaysAppendSecurityToken" into consideration as well.
>
>
> Original review request from EriK is https://reviews.apache.org/r/6724/.
>
>
> This addresses bug shindig-1863.
> https://issues.apache.org/jira/browse/shindig-1863
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/container.js 1383008
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/feature.xml 1383008
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerService.java 1383189
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerServiceTest.java 1383189
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerTest.java 1383189
>
> Diff: https://reviews.apache.org/r/8153/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Marshall Shi
>
>