You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "Stanton Sievers (Commented) (JIRA)" <ji...@apache.org> on 2012/04/14 17:05:16 UTC
[jira] [Commented] (SHINDIG-1557) jsonrcptransport.js is using the
container security token instead of the gadget security token
[ https://issues.apache.org/jira/browse/SHINDIG-1557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13254134#comment-13254134 ]
Stanton Sievers commented on SHINDIG-1557:
------------------------------------------
Doug, I'm trying to reproduce this issue to further investigate how to fix it, but I'm finding that I can't reproduce it.
In my test configuration there are two domains: container.stanton.com and gadgets.stanton.com, both simply going to 127.0.0.1 (i.e., hitting Shindig and Tomcat running out of Eclipse).
I'm hitting http://container.stanton.com:8080/samplecontainer/examples/commoncontainer/index.html in my browser (FF) and loading the SocialHelloWorld.xml gadget that ships with Shindig. It uses osapi.appdata.update when you "Say hello".
I see the standard request that the container is making to get metadata:
http://container.stanton.com:8080/rpc?st=john.doe%3Ajohn.doe%3Aappid%3Acont%3Aurl%3A0%3Adefault
When I click the "Say hello" button in the gadget I see the osapi.appdata.update call happening via this url:
http://gadgets.stanton.com:8080/rpc?st=john.doe%3Ajohn.doe%3Ahttp%253A%252F%252Flocalhost%253A8080%252Fsamplecontainer%252Fexamples%252FSocialHelloWorld.xml%3Acont%3Ahttp%253A%252F%252Flocalhost%253A8080%252Fsamplecontainer%252Fexamples%252FSocialHelloWorld.xml%3A0%3Adefault%3A1334419131
And the POST body for the previous request is: [{"method":"appdata.update","id":"appdata.update","params":{"data":{"count":1},"userId":"@viewer","groupId":"@self"}}]
Note that the last call is not only going out on the gadgets domain but it also has the gadget security token on it. It appears that shindig.auth.getSecurityToken() is executing in the context of the gadget, which is what I expected.
Am I missing something? Do you still see this issue in your use case?
> jsonrcptransport.js is using the container security token instead of the gadget security token
> ----------------------------------------------------------------------------------------------
>
> Key: SHINDIG-1557
> URL: https://issues.apache.org/jira/browse/SHINDIG-1557
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: 2.5.0-beta1
> Reporter: Doug Davies
>
> When a gadget makes an rpc request (using common container) the security token returned to the gadget via the st param is not the one being used for the rpc request. It is using the one generated in the container. This is probably because the rpc call ends up happening in the context of the container and shindig.auth.getSecurityToken returns that one. Calls to userprefs and appdata need the gadget security token so the is has the appid and appurl to use as db indexes. Just having the viewer and owner that is inherited from the container is not enough.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira