[Cosmo-dev] JSON-RPC considered harmful
Randy Letness
randy at osafoundation.org
Tue Dec 5 23:21:42 PST 2006
Brian Moseley wrote:
> On 12/5/06, Randy Letness <randy at osafoundation.org> wrote:
>
>> Can't the ticket processing junk just verify that the ticket is valid
>> and stick it in the security context? Then the rpcservice does the
>> authorization based on the method called?
>
> no - it needs both the resource path or uid and the ticket key to
> authenticate.
>
I guess I was thinking about implementing a new
TicketProcessingFilter/AuthenticationProvicer that ignores path...just
validates that the ticket exists and use that for RPC requests, but that
may be more work than its worth.
-Randy
More information about the cosmo-dev
mailing list