[Cosmo-dev] JSON-RPC considered harmful
Bobby Rullo
br at osafoundation.org
Tue Dec 5 22:47:02 PST 2006
That's what I think BCM meant when he said "manual ticket
authentication"
On Dec 5, 2006, at 10:37 PM, Randy Letness wrote:
> Randy Letness wrote:
>>
>> Yeah that's what I was thinking too, require the ticket as part of
>> the rpc call, and do a check as part of the rpc impl. With the
>> way things work now, isn't there still a problem of "hijacking" a
>> collection (provide valid creds to access /cosmo/JSON-RPC, but
>> specify collection in the body thats not yours)?
>>
>
> Actually what about using the CosmoSecurityManager to get the auth
> info (user or ticket), and do the check inside all the rpc methods?
>
> -Randy
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
More information about the cosmo-dev
mailing list