Since I dont have debugging capabilities on the hosting site on which
I am planning to host my application, I wrote one simple asp .net that
just reflects the post request that it receives.
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
XmlDocument doc = new XmlDocument();
doc.Load(Request.InputStream);
Response.Write(doc.InnerXml);
}
}
I wanted to compare the difference between signed and unsigned post
request received on the server. My assumption is that signed request
is encrypted form of unsigned request hence for unsigned request, my
response should be same as request however for signed request, my
response should be encrypted form of request. Please confirm whether
my assumption is correct.
Unfortunately dont see any difference between request and response.
Though when I sniffed the post request I signed request has following
parameter extra.
***
authz=signed&st=AFinprRrOo9jbTnGz6GfSLTAFaD31b-
BdtDUoRKmB6fAmal76q1ay6NmliAxmxqei_HU7alG69OMw2caaKLYGuJsXp2CQX9oBA7fQj5dfZQO7iKjBJ6b0I
***
I will appreciate any help in this regard.
Thanks,
-Akash
On Sep 23, 6:21 pm, Akash <[EMAIL PROTECTED]> wrote:
> Thanks a lot Raman.
>
> One more clarification I believe the transaction between orkut server
> and my application server is not over SSL.
>
> Thanks,
> -Akash
>
> On Sep 22, 10:34 am, Raman <[EMAIL PROTECTED]> wrote:
>
>
>
> > Hi Akash
>
> > Things work as per the usual public key - private key model.
> > When you call some web service using makeRequest, the request first goes to
> > orkut server.. the orkut server signs the request using its private key. At
> > your end, you can ensure if the request is from orkut by decrypting the
> > received request with its public key (which is publically available). So, if
> > you are able to decrypt it, that means orkut have sent the request..
> > otherwise, its an invalid request.
>
> > Plus, when you send a signed request from your opensocial app, orkut
> > attaches a 'opensocial_owner_id' and a 'opensocial_viewer_id' (only if
> > viewer has added the app) as get parameters, through which you can confirm
> > who actually is the cureent viewer and the owner of the application.
>
> > Raman
>
> > On Sun, Sep 21, 2008 at 9:25 AM, Akash <[EMAIL PROTECTED]> wrote:
>
> > > Hi Jason,
> > > Thanks for the response. I don't think not encoding the post data
> > > is the issue because things are working with I was not signing the
> > > request:-(. I anyways tried your suggestion. I am still getting same
> > > response.
>
> > > <HTML>
> > > <HEAD>
> > > <TITLE>invalid parameter name <?xml version</TITLE>
> > > </HEAD>
> > > <BODY BGCOLOR="#FFFFFF" TEXT="#000000">
> > > <H1>invalid parameter name <?xml version</H1>
> > > <H2>Error 400</H2>
> > > </BODY>
> > > </HTML>
>
> > > Jason,
> > > I am still not able to appreciate the authorization model of orkut.
> > > My current understanding is that when I make a web service call from
> > > an orkut application the web service call first goes to a proxy on
> > > orkut server. The proxy in turn makes a call to application server on
> > > internet on behalf of application. Later response traverse in reverse
> > > direction.
> > > Now how things change with
> > > signing(params[gadgets.io.RequestParameters.AUTHORIZATION] =
> > > gadgets.io.AuthorizationType.SIGNED;) coming into picture. The
> > > question I looking to get answered are following:-
>
> > > 1. Whether web service request is encrypted from browser to proxy
> > > server on orkut.
> > > 2. Does the request from orkut server to application server is
> > > encrypted?
> > > 3. In security world what exactly the communication between orkut
> > > proxy server and application server is called?
> > > 4. What requirements does web server that is running application
> > > server should fulfill? For e.g. I am using IIS7 and .NET framework 3.5
> > > provided bywww.discountasp.net. My question is what should be my
> > > requirements for them?
>
> > > Another related question:-
> > > On application server side how do I ensure that the request I am
> > > getting from an application an user X?
>
> > > I would love to help the community once I understand the
> > > authentication model?
>
> > > Thanks,
> > > -Akash
>
> > > On Sep 16, 3:06 am, Jason <[EMAIL PROTECTED]> wrote:
> > > > Thanks for sharing your code snippet. :) Most of the time, I see
> > > > requests for assistance without any code, which obviously makes it
> > > > much harder to determine the problem.
>
> > > > As far as your issue, try using gadgets.io.encodeValues(soapRequest)
> > > > instead of passing soapRequest directly. See POST Requests in this
> > > > wiki article, which uses this convenience function to encode POST
> > > > data:
>
> > > >http://code.google.com/p/opensocial-resources/wiki/GadgetsMakeRequest
>
> > > > Unfortunately, I don't have any ASP signature validation code handy,
> > > > but hopefully another member of the community has a snippet to share.
> > > > If you find one, we'll be more than happy to make it available on the
> > > > opensocial-resources wiki.
>
> > > > Cheers!
> > > > - Jason
>
> > > > On Sep 13, 11:38 am, Akash <[EMAIL PROTECTED]> wrote:
>
> > > > > Hi,
> > > > > I have written an orkut application that is making a web service
> > > > > call. The web service is using ASP .NET 3.5. The application was
> > > > > working fine without any issue however when I added following in my
> > > > > web service call
>
> > > > > params[gadgets.io.RequestParameters.AUTHORIZATION] =
> > > > > gadgets.io.AuthorizationType.SIGNED;
>
> > > > > I started getting following response.
>
> > > > > <HTML>
> > > > > <HEAD>
> > > > > <TITLE>invalid parameter name <?xml version</TITLE>
> > > > > </HEAD>
> > > > > <BODY BGCOLOR="#FFFFFF" TEXT="#000000">
> > > > > <H1>invalid parameter name <?xml version</H1>
> > > > > <H2>Error 400</H2>
> > > > > </BODY>
> > > > > </HTML>
>
> > > > > Any clue why I am facing this problem.
>
> > > > > BTW, I am also looking for some sample code where an authenticated Web
> > > > > Service call is made to a web service running on .NET framework 3.5.
>
> > > > > Thanks,
> > > > > -Akash
>
> > > > > Following is detailed code.
>
> > > > > var map = { "Content-Type" : "application/soap+xml; charset=utf-8"};
> > > > > var params = {};
> > > > > soapRequest =
> > > > > "<?xml version=\"1.0\"
> > > encoding=\"utf-8\"?>" +
> > > > > "<soap12:Envelope " +
> > > > > "xmlns:xsi=\"
> > >http://www.w3.org/2001/XMLSchema-instance\<http://www.w3.org/2001/XMLSchema-instance%5C>"
> > > " +
> > > > > "xmlns:xsd=\"
> > >http://www.w3.org/2001/XMLSchema\<http://www.w3.org/2001/XMLSchema%5C>" "
> > > +
> > > > > "xmlns:soap12=\"
> > >http://www.w3.org/2003/05/soap-envelope\<http://www.w3.org/2003/05/soap-envelope%5C>">"
> > > +
> > > > > "<soap12:Body>" +
> > > > > "<" + method + " xmlns=\"" + ns +
> > > > > "\">"
> > > +
> > > > > parameters.toXml() +
> > > > > "</" + method +
> > > "></soap12:Body></soap12:Envelope>";
> > > > > params[gadgets.io.RequestParameters.METHOD] =
> > > > > gadgets.io.MethodType.POST;
> > > > > params[gadgets.io.RequestParameters.CONTENT_TYPE] =
> > > > > gadgets.io.ContentType.DOM;
> > > > > params[gadgets.io.RequestParameters.HEADERS] = map;
> > > > > params[gadgets.io.RequestParameters.AUTHORIZATION] =
> > > > > gadgets.io.AuthorizationType.SIGNED;
> > > > > params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
> > > > > var req;
>
> > > > > gadgets.io.makeRequest(url, function(req){
> > > > > SOAPClient._onSendSoapRequest(method,
> > > async, callback, context,
> > > > > wsdl, req);
> > > > > }, params);
>
> > > > > [WebMethod]
> > > > > public bool isAppInstalledByUser(string id, string siteTye)
> > > > > {
> > > > > return false;
> > > > > }- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Orkut Developer Forum" group.
To post to this group, send email to opensocial-orkut@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/opensocial-orkut?hl=en
-~----------~----~----~----~------~----~------~--~---
