[Cosmo-dev] JSON-RPC considered harmful
Randy Letness
randy at osafoundation.org
Tue Dec 5 22:37:38 PST 2006
Randy Letness wrote:
>
> Yeah that's what I was thinking too, require the ticket as part of the
> rpc call, and do a check as part of the rpc impl. With the way things
> work now, isn't there still a problem of "hijacking" a collection
> (provide valid creds to access /cosmo/JSON-RPC, but specify collection
> in the body thats not yours)?
>
Actually what about using the CosmoSecurityManager to get the auth info
(user or ticket), and do the check inside all the rpc methods?
-Randy
More information about the cosmo-dev
mailing list