MyFedora cross domain authentication issues
Toshio Kuratomi
a.badger at gmail.com
Thu Mar 13 22:59:40 UTC 2008
John (J5) Palmieri wrote:
> Hi guys,
>
> We just recently got a test instance up at publictest10 and I have
> started working on accessing resources as an authenticated user. There
> is a large issue here however since the browser's security model
> rightfully prevents us from doing requests such as this. There are
> several ways around this security all with their own pitfalls.
>
> The first one which I use is to have a proxy page which make the calls
> on the server which is not subject to the security concerns. The issue
> with this is it can't be authenticated and involves shipping data
> through an extra server.
>
> The second way is to use JSONP callback script injection. This one
> involves the json call returning data as a javascript callback which is
> then script injected into the page and eval'ed. This is extremely
> insecure as it allows the server to send back any javascript which is
> executed on the user's browser. I've tested this by sending an alert
> back from bohdi's 'list' call and it can display any data available to
> the browser.
>
> Another way which I am not sure is possible would be to do URL rewriting
> to make it look like all of our resources are coming from the same
> domain, e.g. http://myfedora.fedoraproject.org/bodhi would be rewritten
> to point to a bodhi instance. Though this might work if they were
> running under the same apache instance, I am pretty sure it would fall
> down if they were running on different servers.
>
> The last way, which I discussed with the Fas guys sometime back would be
> the ability to forward credentials from a proxy. This would require Fas
> support that I am pretty sure is not there yet. I'm not even sure how
> it would be implemented.
>
J5: Look at how jsonfas is implemented and tell me if that would for ths
model.
bzr branch bzr://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel
cd python-fedora-devel/fedora/tg/identity
vim jsonfasprovider.py
# Take a look at JsonFasIdentity
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080313/31dea038/attachment.bin
More information about the infrastructure
mailing list