Issue 1240043: Add security token to the iframe if it's defined in the context

Can't Edit
Can't Publish+Mail
Start Review

Created:
13 years, 11 months ago by Paul Lindner

Modified:
13 years, 11 months ago

Reviewers:
johnfargo, shindig.remailer

Visibility:
Public.

Patch Set 2 : Mods based on feedback from John, use existing security token routines (where'd those come from!) #

Patch Set 3 : simplify, remove unused imports #

Total comments: 2

Patch Set 4 : add wantsSecurityToken() protected method (defaults to true) #

Created: 13 years, 11 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+37 lines, -5 lines)			Patch
M	java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java	View	1 2 3	5 chunks	+31 lines, -4 lines	0 comments	Download
M	java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java	View	2	3 chunks	+5 lines, -1 line	0 comments	Download
M	java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java	View		1 chunk	+1 line, -0 lines	0 comments	Download

Messages

Total messages: 9

Expand All Messages | Collapse All Messages

Paul Lindner

here's a first step towards allowing security tokens to be added to the iframe factory.

13 years, 11 months ago (2010-05-21 20:12:13 UTC) #1

johnfargo

Interested in your thoughts. http://codereview.appspot.com/1240043/diff/1/2 File java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java (right): http://codereview.appspot.com/1240043/diff/1/2#newcode59 java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:59: private final SecurityTokenDecoder securityTokenDecoder; SecurityTokenCodec ...

13 years, 11 months ago (2010-05-21 20:28:44 UTC) #2

Interested in your thoughts.

http://codereview.appspot.com/1240043/diff/1/2
File
java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java
(right):

http://codereview.appspot.com/1240043/diff/1/2#newcode59
java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:59:
private final SecurityTokenDecoder securityTokenDecoder;
SecurityTokenCodec does seem like the better name now...

http://codereview.appspot.com/1240043/diff/1/2#newcode71
java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:71:
// TODO this doesn't scale to large numbers of containers
sure it does, if you dedupe and don't require a unique subdomain per container
;)

http://codereview.appspot.com/1240043/diff/1/2#newcode154
java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:154:
// Inject a security token if set in the context
A. Let's put this in a separate method: injectSecurityToken(...)
B. Let's also wrap the logic in an if-block:
if (wantsSecurityToken(gadget)) { ... }
...where wantsSecurityToken is defined by default as "return true"

This allows, for those who choose to opt into it, the ability to append a
security token only when the gadget affirmatively asks for one - notably, when
gadget.getAllFeatures().contains("security-token");

This accommodates all cases except signed requests by gadgets that have no
<Requires> that transitively depend on "security-token".

http://codereview.appspot.com/1240043/diff/1/2#newcode159
java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:159:
uri.addQueryParameter("st", tokenVal);
s/"st"/UriCommon.Param.SECURITY_TOKEN.getKey()/

http://codereview.appspot.com/1240043/diff/1/2#newcode163
java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:163:
// ignore -- no security token
really? here, getToken() != null so presumably we should succeed in returning a
token.

I recognize this is as much an audit of the SecurityTokenDecoder interface, but
IMO we should throw an Exception in exceptional circumstances; perhaps null in
"normal" ones, however defined.

johnfargo

LGTM beyond this comment. http://codereview.appspot.com/1240043/diff/9001/10001 File java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java (right): http://codereview.appspot.com/1240043/diff/9001/10001#newcode172 java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:172: protected String generateSecurityToken(Gadget gadget) { ...

13 years, 11 months ago (2010-05-22 02:40:03 UTC) #5

Paul Lindner

http://codereview.appspot.com/1240043/diff/9001/10001 File java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java (right): http://codereview.appspot.com/1240043/diff/9001/10001#newcode172 java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java:172: protected String generateSecurityToken(Gadget gadget) { On 2010/05/22 02:40:03, johnfargo ...

13 years, 11 months ago (2010-05-22 14:00:39 UTC) #6

fargo

True, it's really just a relatively minor structuring nit. --j On Sat, May 22, 2010 ...

13 years, 11 months ago (2010-05-24 18:24:05 UTC) #7

lgtm

Expand All Messages | Collapse All Messages