[Cosmo-dev] JSON-RPC considered harmful
Travis Vachon
travis at osafoundation.org
Thu Dec 7 11:19:37 PST 2006
Yep, that's what I was thinking. Thanks for making it more clear!
-Travis
On Dec 7, 2006, at 11:11 AM, Brian Moseley wrote:
> On 12/7/06, Travis Vachon <travis at osafoundation.org> wrote:
>
>> To that end, the approach we're currently looking at consists of
>> allowing all traffic to /cosmo/json-rpc through the Acegi filtering
>> level and doing user and ticket authentication/authorization within
>> the JSON-RPC service methods.
>
> well, not quite. we'll still use acegi to authenticate and authorize
> requests to /cosmo/json-rpc:
>
> * we'll allow anonymous access to /json-rpc as well as user access
> * the existing rpc methods require a logged-in user and will
> therefore have to include checks to make sure that precondition is met
> (no anonymous access to these methods)
> * those same rpc methods will have to make sure the logged-in user
> can only operate against items that he owns
> * new methods which use a ticket to access an item will manually
> verify the ticket against the item without worrying if there is a
> logged-in user or not
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
More information about the cosmo-dev
mailing list