[Cosmo-dev] JSON-RPC considered harmful
randy at osafoundation.org
Tue Dec 5 22:37:38 PST 2006
Randy Letness wrote:
> Yeah that's what I was thinking too, require the ticket as part of the
> rpc call, and do a check as part of the rpc impl. With the way things
> work now, isn't there still a problem of "hijacking" a collection
> (provide valid creds to access /cosmo/JSON-RPC, but specify collection
> in the body thats not yours)?
Actually what about using the CosmoSecurityManager to get the auth info
(user or ticket), and do the check inside all the rpc methods?
More information about the cosmo-dev