On Thu, 2008-03-13 at 17:59 -0500, Toshio Kuratomi wrote: > John (J5) Palmieri wrote: > > Hi guys, > > > > We just recently got a test instance up at publictest10 and I have > > started working on accessing resources as an authenticated user. There > > is a large issue here however since the browser's security model > > rightfully prevents us from doing requests such as this. There are > > several ways around this security all with their own pitfalls. > > > > The first one which I use is to have a proxy page which make the calls > > on the server which is not subject to the security concerns. The issue > > with this is it can't be authenticated and involves shipping data > > through an extra server. > > > > The second way is to use JSONP callback script injection. This one > > involves the json call returning data as a javascript callback which is > > then script injected into the page and eval'ed. This is extremely > > insecure as it allows the server to send back any javascript which is > > executed on the user's browser. I've tested this by sending an alert > > back from bohdi's 'list' call and it can display any data available to > > the browser. > > > > Another way which I am not sure is possible would be to do URL rewriting > > to make it look like all of our resources are coming from the same > > domain, e.g. http://myfedora.fedoraproject.org/bodhi would be rewritten > > to point to a bodhi instance. Though this might work if they were > > running under the same apache instance, I am pretty sure it would fall > > down if they were running on different servers. > > > > The last way, which I discussed with the Fas guys sometime back would be > > the ability to forward credentials from a proxy. This would require Fas > > support that I am pretty sure is not there yet. I'm not even sure how > > it would be implemented. > > > J5: Look at how jsonfas is implemented and tell me if that would for ths > model. > > bzr branch bzr://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel > > cd python-fedora-devel/fedora/tg/identity > vim jsonfasprovider.py > # Take a look at JsonFasIdentity > > -Toshio It look promising though I am not totally sure how it works. Let me see if I get this right. At the start of the proxied request (basically just a TG controller in my domain which is called via JSON) I create a JsonFasIdentity and supply it with the user, username and password using the tg.identity object or is that the JsonFasIdentity? It will then set the correct cookies for the next link. I make my next JSON call to a FAS2 enabled resource like Bodhi and Bodhi treats me as if I was logged in? Is this correct? Do I call logout on the JsonFasIdentity object? Can this stand up to being called 10 times per page load for each query I need to make? If this works it will solve my issues. -- John (J5) Palmieri <johnp@xxxxxxxxxx> _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
