You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Marshall Shi <sh...@cn.ibm.com> on 2013/01/09 02:22:35 UTC

Re: Review Request: Unable to force a token refresh on all gadget sites

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/8153/
-----------------------------------------------------------

(Updated Jan. 9, 2013, 1:22 a.m.)


Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.


Description
-------

We have uncovered several use cases request that: 
1. Container's abilty to require a ST for all gadgets and cause it to refresh 
2. Container determines that all STs are invalid (e.g. the user logged out, SSO session times out, etc) ... should be able to force an immediate refresh to reflect the new log in state. where the container wants to force the use of STs on all requests. 

However, there is no API in the container can call to force a refresh of all STs due to a change it knows about (change of logged in user) and if the gadget does not request the "auth-refresh" indirectly, shindig will not refresh its token. 

related java code: 

    Boolean needsTokenRefresh = 
        isFieldIncluded(fields, "needstokenrefresh") ? 
            gadget.getAllFeatures().contains("auth-refresh") : null;

This patch is about:
1. update the container feature, export one api for container to be able to force token refresh on all sites. Update the feature.xml for container feature because it actually invoke the gadget rpc call "update_security_token" which resides in feature auth-refresh but it only have shindig-auth in its dependency, sometimes, when gadget doesn't explicitly require auth-refresh, it leads to the case that shindig will not refresh its token. change dependency to "security-token" which does not include much new feature dependency. 

In addition, at server side when return the metadata, take "gadgets.uri.iframe.alwaysAppendSecurityToken" into consideration as well.


Original review request from EriK is https://reviews.apache.org/r/6724/.


This addresses bug shindig-1863.
    https://issues.apache.org/jira/browse/shindig-1863


Diffs
-----

  http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/container.js 1383008 
  http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/feature.xml 1383008 
  http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerService.java 1383189 
  http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerServiceTest.java 1383189 
  http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerTest.java 1383189 

Diff: https://reviews.apache.org/r/8153/diff/


Testing
-------


Thanks,

Marshall Shi

Re: Review Request: Unable to force a token refresh on all gadget sites

Posted by Ryan Baxter <rb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/8153/#review15313
-----------------------------------------------------------

Ship it!


Committed revision 1432956

- Ryan Baxter


On Jan. 9, 2013, 1:22 a.m., Marshall Shi wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/8153/
> -----------------------------------------------------------
> 
> (Updated Jan. 9, 2013, 1:22 a.m.)
> 
> 
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
> 
> 
> Description
> -------
> 
> We have uncovered several use cases request that: 
> 1. Container's abilty to require a ST for all gadgets and cause it to refresh 
> 2. Container determines that all STs are invalid (e.g. the user logged out, SSO session times out, etc) ... should be able to force an immediate refresh to reflect the new log in state. where the container wants to force the use of STs on all requests. 
> 
> However, there is no API in the container can call to force a refresh of all STs due to a change it knows about (change of logged in user) and if the gadget does not request the "auth-refresh" indirectly, shindig will not refresh its token. 
> 
> related java code: 
> 
>     Boolean needsTokenRefresh = 
>         isFieldIncluded(fields, "needstokenrefresh") ? 
>             gadget.getAllFeatures().contains("auth-refresh") : null;
> 
> This patch is about:
> 1. update the container feature, export one api for container to be able to force token refresh on all sites. Update the feature.xml for container feature because it actually invoke the gadget rpc call "update_security_token" which resides in feature auth-refresh but it only have shindig-auth in its dependency, sometimes, when gadget doesn't explicitly require auth-refresh, it leads to the case that shindig will not refresh its token. change dependency to "security-token" which does not include much new feature dependency. 
> 
> In addition, at server side when return the metadata, take "gadgets.uri.iframe.alwaysAppendSecurityToken" into consideration as well.
> 
> 
> Original review request from EriK is https://reviews.apache.org/r/6724/.
> 
> 
> This addresses bug shindig-1863.
>     https://issues.apache.org/jira/browse/shindig-1863
> 
> 
> Diffs
> -----
> 
>   http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/container.js 1383008 
>   http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/feature.xml 1383008 
>   http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerService.java 1383189 
>   http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerServiceTest.java 1383189 
>   http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerTest.java 1383189 
> 
> Diff: https://reviews.apache.org/r/8153/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Marshall Shi
> 
>

Re: Review Request: Unable to force a token refresh on all gadget sites

Posted by Marshall Shi <sh...@cn.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/8153/#review15306
-----------------------------------------------------------


Call for review again!

- Marshall Shi


On Jan. 9, 2013, 1:22 a.m., Marshall Shi wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/8153/
> -----------------------------------------------------------
> 
> (Updated Jan. 9, 2013, 1:22 a.m.)
> 
> 
> Review request for shindig, Ryan Baxter, Dan Dumont, Stanton Sievers, and Rich Thompson.
> 
> 
> Description
> -------
> 
> We have uncovered several use cases request that: 
> 1. Container's abilty to require a ST for all gadgets and cause it to refresh 
> 2. Container determines that all STs are invalid (e.g. the user logged out, SSO session times out, etc) ... should be able to force an immediate refresh to reflect the new log in state. where the container wants to force the use of STs on all requests. 
> 
> However, there is no API in the container can call to force a refresh of all STs due to a change it knows about (change of logged in user) and if the gadget does not request the "auth-refresh" indirectly, shindig will not refresh its token. 
> 
> related java code: 
> 
>     Boolean needsTokenRefresh = 
>         isFieldIncluded(fields, "needstokenrefresh") ? 
>             gadget.getAllFeatures().contains("auth-refresh") : null;
> 
> This patch is about:
> 1. update the container feature, export one api for container to be able to force token refresh on all sites. Update the feature.xml for container feature because it actually invoke the gadget rpc call "update_security_token" which resides in feature auth-refresh but it only have shindig-auth in its dependency, sometimes, when gadget doesn't explicitly require auth-refresh, it leads to the case that shindig will not refresh its token. change dependency to "security-token" which does not include much new feature dependency. 
> 
> In addition, at server side when return the metadata, take "gadgets.uri.iframe.alwaysAppendSecurityToken" into consideration as well.
> 
> 
> Original review request from EriK is https://reviews.apache.org/r/6724/.
> 
> 
> This addresses bug shindig-1863.
>     https://issues.apache.org/jira/browse/shindig-1863
> 
> 
> Diffs
> -----
> 
>   http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/container.js 1383008 
>   http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/container/feature.xml 1383008 
>   http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerService.java 1383189 
>   http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerServiceTest.java 1383189 
>   http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetsHandlerTest.java 1383189 
> 
> Diff: https://reviews.apache.org/r/8153/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Marshall Shi
> 
>