You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Neil (JIRA)" <ji...@apache.org> on 2008/08/01 18:32:32 UTC
[jira] Created: (SHINDIG-489) Whitelist functionality
Whitelist functionality
-----------------------
Key: SHINDIG-489
URL: https://issues.apache.org/jira/browse/SHINDIG-489
Project: Shindig
Issue Type: New Feature
Components: Gadget Rendering Server (Java)
Reporter: Neil
I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network.
The whitelist works as an exact opposite to the current black list implementation - using exact URLs or regular expressions to define a list of allowed gadgets or domains.
The attached patch includes the two new files for the whitelist and the necessary alteration to gadgets.properties (to define the white list file) , GadgetServer.java (to load and use the white list implementation) and GadgetException (to add the NOT_IN_WHITELIST failure code).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Attachment: whitelist.patch
Patch file for whitelist implementation
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network.
> The whitelist works as an exact opposite to the current black list implementation - using exact URLs or regular expressions to define a list of allowed gadgets or domains.
> The attached patch includes the two new files for the whitelist and the necessary alteration to gadgets.properties (to define the white list file) , GadgetServer.java (to load and use the white list implementation) and GadgetException (to add the NOT_IN_WHITELIST failure code).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Description:
I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
Changes for the build
The following changes were made to provide this build:
* shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
* in java/gadgets
o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
was:
I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network.
I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist (see below).
If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
There is also a blacklist (which is provided as part of Shindig, though some minor changes were made to the file reading, see below). This is also a text file driven - in exactly the same way as the whitelist. Any URL or regular expression in the blacklist that matches a gadget's URL will be blocked with the message BLACKLISTED_GADGET.
Changes for the build
The following changes were made to provide this build:
* shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
* in java/gadgets
o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Attachment: (was: whitelist.patch)
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Attachment: whitelist.patch
Patch containing code described
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Attachment: (was: whitelist.patch)
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SHINDIG-489) Whitelist functionality
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Brown resolved SHINDIG-489.
---------------------------------
Resolution: Won't Fix
This is unnecessary. If you want a whitelist, just implement the blacklist interface and return the negated whitelist:
class GadgetWhitelist implements GadgetBlacklist {
public boolean isBlacklisted(URI url) {
return !isWhitelisted(url);
}
}
You can bind that yourself using Guice. You don't need to change GadgetServer (which is gone soon anyway).
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Attachment: whitelist_tests.patch
Attached file which contains
- unit tests for the new whitelist class.
- fixed unit tests for classes affected by the changes.
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network.
> The whitelist works as an exact opposite to the current black list implementation - using exact URLs or regular expressions to define a list of allowed gadgets or domains.
> The attached patch includes the two new files for the whitelist and the necessary alteration to gadgets.properties (to define the white list file) , GadgetServer.java (to load and use the white list implementation) and GadgetException (to add the NOT_IN_WHITELIST failure code).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Comment: was deleted
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Description:
I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network.
I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist (see below).
If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
There is also a blacklist (which is provided as part of Shindig, though some minor changes were made to the file reading, see below). This is also a text file driven - in exactly the same way as the whitelist. Any URL or regular expression in the blacklist that matches a gadget's URL will be blocked with the message BLACKLISTED_GADGET.
Changes for the build
The following changes were made to provide this build:
* shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
* in java/gadgets
o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
was:
I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network.
The whitelist works as an exact opposite to the current black list implementation - using exact URLs or regular expressions to define a list of allowed gadgets or domains.
The attached patch includes the two new files for the whitelist and the necessary alteration to gadgets.properties (to define the white list file) , GadgetServer.java (to load and use the white list implementation) and GadgetException (to add the NOT_IN_WHITELIST failure code).
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network.
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist (see below).
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> There is also a blacklist (which is provided as part of Shindig, though some minor changes were made to the file reading, see below). This is also a text file driven - in exactly the same way as the whitelist. Any URL or regular expression in the blacklist that matches a gadget's URL will be blocked with the message BLACKLISTED_GADGET.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-489) Whitelist functionality
Posted by "Neil (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil updated SHINDIG-489:
-------------------------
Attachment: whitelist.patch
> Whitelist functionality
> -----------------------
>
> Key: SHINDIG-489
> URL: https://issues.apache.org/jira/browse/SHINDIG-489
> Project: Shindig
> Issue Type: New Feature
> Components: Gadget Rendering Server (Java)
> Reporter: Neil
> Attachments: whitelist.patch, whitelist_tests.patch
>
>
> I have a requirement for a gadget whitelist - so that Shindig cannot be easily used as a proxy onto a protected network. The current black list functionality provided is not enough, as I require the ability to only allow a small set of gadgets and/or domains. Blacklisting then entire internet bar a single domain isn't really an option!
> I have provided a default implementation, based on the current BasicGadgetBlacklist implementation.
> It is driven by a text file. The file can contain exact URLs (to XML gadgets) to whitelist or it can contain regular expressions, denoting whole domains that are allowed. These entries must be prefixed with REGEX. The file is read only on application startup.
> The whitelist can be turned on or off by specifying the file in the shindig/java/gadgets/conf/gadget.properties next to the property whitelist.file. If the entry is blank then no whitelist is applied - which allows all gadgets through - except those on the blacklist.
> If a gadget URL matches the whitelist then it is allowed to be rendered. If not, then the gadget is rendered with the error message NOT_IN_WHITELIST.
> Changes for the build
> The following changes were made to provide this build:
> * shindig/java/gadget/conf/gadget.properties - entry whitelist.file added, and default value for blacklist.file updated
> * in java/gadgets
> o org.apache.shindig.gadgets.GadgetWhitelist - new Interface for the whitelist added. Contains one method: isWhitelisted(URI)
> o org.apache.shindig.gadgets.BasicGadgetWhitelist - default implementation of GadgetWhitelist. Essentially a copy of existing BasicGadgetBlacklist
> o org.apache.shindig.gadgets.GadgetServer - constructor changed to accept new GadgetWhitelist object (injected automatically using Guice). processGadget(GadgetContext) method altered to add call to whitelist object isWhitelisted(URI) method. This is after black list check.
> o org.apache.shindig.gadgets.GadgetException - Code enum extended to add NOT_IN_WHITELIST value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.