You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wookie.apache.org by Scott Wilson <sc...@gmail.com> on 2011/11/01 11:30:34 UTC

Proxies, headers, authz and origins in Wookie

Hi everyone,

I've been digging a little deeper on this one, and there are a number of related issues. The problem is that all of the following:

- widget start pages
- the admin web interface
- the proxy API
- the REST APIs
- the admin REST APIs

... share a common origin, i.e. wherever Wookie is hosted.

This means that if any one of these issues a BASIC AUTH challenge, the browser will cache this and send it to all requests to the same origin.

Likewise, if a cookie is set, it will be set for all of these widgets and services.

Normally this isn't a problem, as the only cookies will be those set by Wookie itself such as JSessionID.  However, if as a result of a request to the proxy a Set-Cookie header is passed, then this will be stored in the browser as being set by the Wookie origin. Not a good idea.

There are a couple of solutions I've been thinking of...

====

1. Use a dynamic origin for each widget instance. 

Shindig installations sometimes use this - e.g. instead of http://my.server.com/wookie/wservices... the URL for a widget would be http://wgt12131931.my.server.com/wookie/wservices...

This can be quite a pain to set up as you need a host configuration that supports it. However it does nicely isolate the widgets so may be a good option for advanced production installations. Its also the only way I can see we could safely support proxied cookies.

2. Use a different, stateless authz method for admin functions

We could use a different authz method for accessing admin REST APIs. For example, setting a X-WSSE header with a token.

3. Use a common authz method for all REST APIs but with a permissions model

As above, we can use a stateless authz model for all API requests, e.g. using API keys, but add a permissions model. So the special Admin key has permissions for the Admin REST APIs.

If we implement signed API requests (see WOOKIE-279) then this also gives us good protection against hijacking API keys. It also solves WOOKIE-214 as rather than having to revoke API keys, we can just generate a new API Secret and leave the data as-is.

====

Thoughts?

I'm not sure what any of the above implies for supporting oAuth.

-S