On Thu, 2008-03-13 at 17:59 -0500, Toshio Kuratomi wrote:
John (J5) Palmieri wrote:
> Hi guys,
>
> We just recently got a test instance up at publictest10 and I have
> started working on accessing resources as an authenticated user. There
> is a large issue here however since the browser's security model
> rightfully prevents us from doing requests such as this. There are
> several ways around this security all with their own pitfalls.
>
> The first one which I use is to have a proxy page which make the calls
> on the server which is not subject to the security concerns. The issue
> with this is it can't be authenticated and involves shipping data
> through an extra server.
>
> The second way is to use JSONP callback script injection. This one
> involves the json call returning data as a javascript callback which is
> then script injected into the page and eval'ed. This is extremely
> insecure as it allows the server to send back any javascript which is
> executed on the user's browser. I've tested this by sending an alert
> back from bohdi's 'list' call and it can display any data available to
> the browser.
>
> Another way which I am not sure is possible would be to do URL rewriting
> to make it look like all of our resources are coming from the same
> domain, e.g.
http://myfedora.fedoraproject.org/bodhi would be rewritten
> to point to a bodhi instance. Though this might work if they were
> running under the same apache instance, I am pretty sure it would fall
> down if they were running on different servers.
>
> The last way, which I discussed with the Fas guys sometime back would be
> the ability to forward credentials from a proxy. This would require Fas
> support that I am pretty sure is not there yet. I'm not even sure how
> it would be implemented.
>
J5: Look at how jsonfas is implemented and tell me if that would for ths
model.
bzr branch
bzr://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel
cd python-fedora-devel/fedora/tg/identity
vim jsonfasprovider.py
# Take a look at JsonFasIdentity
-Toshio
It look promising though I am not totally sure how it works. Let me see
if I get this right. At the start of the proxied request (basically just
a TG controller in my domain which is called via JSON) I create a
JsonFasIdentity and supply it with the user, username and password using
the tg.identity object or is that the JsonFasIdentity? It will then set
the correct cookies for the next link. I make my next JSON call to a
FAS2 enabled resource like Bodhi and Bodhi treats me as if I was logged
in? Is this correct? Do I call logout on the JsonFasIdentity object?
Can this stand up to being called 10 times per page load for each query
I need to make?
If this works it will solve my issues.
--
John (J5) Palmieri <johnp(a)redhat.com>