John and Paul, In May, when Andrew and I were out at Google, we talked to you guys at a high level about how to secure features and the RPC functionality in Shindig. Andrew and I are at the point where we would like to tackle this and would like to keep you guys in the loop with the implementation so we can come up with a solid implementation. Based on our conversation in May, here is what I have for high level changes that would need to be made.
-Add a "feature security service" which will interface with some data store describing what features are allowed for a given container. -Possibly add a new gadget renderer or modify the existing gadget render code to not return feature code if the feature has not been enabled in a given container. -Add a new element/parameter to the feature XML to allow feature developers to specify the RPC endpoints they use in their feature code. -Add an "RPC arbitrator" that uses the information from feature security service in combination with the RPC endpoints specified in the feature XML to either allow or disallow RPC requests made by gadgets. Please let me know if you have any other thoughts on this topic. -Ryan Email: [email protected] Phone: 978-899-3041 developerWorks Profile
