[oauth] Re: Java Library and java-twitter
Great! I am just a little bit worried that the core is getting too big. The OAuth lib itself builds fine but sometimes we embed OAuth library in other JARs. The build error occurs in a JMeter plugin for OAuth. We build the plugin with OAuth code so only one JAR is delivered. For use- cases like this, it's very important to keep the dependencies to a minimum. Thanks! Zhihong On Apr 14, 12:38 pm, John Kristian jmkrist...@gmail.com wrote: To build from the current source, you'll need the java-twitter library. Maven will take care of this, since the dependency is declared inhttp://oauth.googlecode.com/svn/code/java/core/pom.xml The Twitter-related code will probably move into java-twitter. I've been discussing that with its author.http://groups.google.com/group/java-twitter?hl=en On Apr 13, 11:57 am, Zhihong zhih...@gmail.com wrote: I just checked out the new Java Library today from http://oauth.googlecode.com/svn/code/java/core/src/main/javabut my program doesn't build anymore because of a new directory called java_twitter. Does java_twitter really belong to core? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Java Library and java-twitter
To minimize dependencies, I recommend removing Java packages that you don't need. You can eliminate several dependencies this way, such as the Java Servlet API and both Apache HTTP client libraries. I'm thinking of moving parts of oauth-core into new modules; for example a module for consumers (clients) and another for service providers (servers). Would that be helpful? Are there other parts that you'd like to be in separate modules? On Apr 15, 7:45 am, Zhihong zhih...@gmail.com wrote: The OAuth lib itself builds fine but sometimes we embed OAuth library in other JARs. The build error occurs in a JMeter plugin for OAuth. We build the plugin with OAuth code so only one JAR is delivered. For use- cases like this, it's very important to keep the dependencies to a minimum. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Java Library and java-twitter
Hi Zhihong it's very important to keep the dependencies to a minimum. have you had the possibility to take a look at our OAuth Framework? http://asmx-oauth.googlecode.com/svn/site/1.0/index.html I'm already in touch with John and tomorrow we'll have a call to study strategies together. Best regards, Simone -- My LinkedIn profile: http://www.linkedin.com/in/simonetripodi My GoogleCode profile: http://code.google.com/u/simone.tripodi/ My Picasa: http://picasaweb.google.com/simone.tripodi/ My Tube: http://www.youtube.com/user/stripodi My Del.icio.us: http://del.icio.us/simone.tripodi --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: authorized access by url alone?
Great -- just what I was hoping to hear. I didn't want to start implementing if there was a known deal-breaker that I was not seeing. The caveats you mention, while important, are not deal breakers give what we need. --peter On Apr 15, 12:48 am, Mike Malone mjmal...@gmail.com wrote: Yea, that would work, some caveats apply though. First, it sounds like you may not need all of OAuth, but if you want to take advantage of the existing libraries and whatnot the extra OAuth features probably won't cause any problems. As you said, you'll want to generate signed OAuth URIs for the images on your server and insert them in your HTML. On the producer side (your image server) you'll definitely want to check nonces -- if you don't then every URI you generate will continue working forever, and could be intercepted by someone or forwarded to a third party. To limit the number of nonces you have to remember you might decide you'll only accept URIs with a timestamp that's less than 24 hours old (for example), in which case you'll only need to keep used nonces around for 24 hours. Even if you check nonces someone could still request the page, parse out the URIs, and send them to a third party to use. So it's not perfect, but if you're currently using cookie-based auth it's probably about as secure as your existing solution. Mike On Tue, Apr 14, 2009 at 10:32 PM, pkeane pjke...@gmail.com wrote: I have been learning about OAuth a bit (I managed to access a GMail inbox from GAE: http://simplenotepad.appspot.com/text/goggle-app-engine-oauth-access-... ), but I am still unclear on one point. Assuming I (i.e., the web app) can get the access token, is it possible to construct a URL that can be placed in an i...@src in the rendered html to allow the browser to access a restricted image? The use case is a digital image library (in heavy use at UT Austin) in which some images are only available under fair use. The image server is a separate application from the rest of the app: we currently check for a UT-specific secure cookie to serve restricted images (lack of the cookie simply causes us to send a thumbnail version). I'd much prefer a URL-based access scheme with a two-legged OAuth approach. This piece need not be uber-secure -- we just don't want to put all of the assets on the open web. --peter keane --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: authorized access by url alone?
It's also similar to the way Amazon S3 URIs work, except with S3 the timestamp is actually the expiration date for the URI (as opposed to the time that the request was created) and there's no nonce (URIs can be used repeatedly until they expire). You may want to take a look at their API for some more ideas / to validate your own ideas. Mike On Wed, Apr 15, 2009 at 11:25 AM, Chris Messina chris.mess...@gmail.comwrote: Pretty sure this is what Digg is ostensibly doing. Maybe Joe Stump can shed some light. Chris On Wed, Apr 15, 2009 at 11:19 AM, pkeane pjke...@gmail.com wrote: Great -- just what I was hoping to hear. I didn't want to start implementing if there was a known deal-breaker that I was not seeing. The caveats you mention, while important, are not deal breakers give what we need. --peter On Apr 15, 12:48 am, Mike Malone mjmal...@gmail.com wrote: Yea, that would work, some caveats apply though. First, it sounds like you may not need all of OAuth, but if you want to take advantage of the existing libraries and whatnot the extra OAuth features probably won't cause any problems. As you said, you'll want to generate signed OAuth URIs for the images on your server and insert them in your HTML. On the producer side (your image server) you'll definitely want to check nonces -- if you don't then every URI you generate will continue working forever, and could be intercepted by someone or forwarded to a third party. To limit the number of nonces you have to remember you might decide you'll only accept URIs with a timestamp that's less than 24 hours old (for example), in which case you'll only need to keep used nonces around for 24 hours. Even if you check nonces someone could still request the page, parse out the URIs, and send them to a third party to use. So it's not perfect, but if you're currently using cookie-based auth it's probably about as secure as your existing solution. Mike On Tue, Apr 14, 2009 at 10:32 PM, pkeane pjke...@gmail.com wrote: I have been learning about OAuth a bit (I managed to access a GMail inbox from GAE: http://simplenotepad.appspot.com/text/goggle-app-engine-oauth-access-. .. ), but I am still unclear on one point. Assuming I (i.e., the web app) can get the access token, is it possible to construct a URL that can be placed in an i...@src in the rendered html to allow the browser to access a restricted image? The use case is a digital image library (in heavy use at UT Austin) in which some images are only available under fair use. The image server is a separate application from the rest of the app: we currently check for a UT-specific secure cookie to serve restricted images (lack of the cookie simply causes us to send a thumbnail version). I'd much prefer a URL-based access scheme with a two-legged OAuth approach. This piece need not be uber-secure -- we just don't want to put all of the assets on the open web. --peter keane -- Chris Messina Citizen-Participant Open Web Advocate factoryjoe.com // diso-project.org // vidoop.com This email is: [ ] bloggable[X] ask first [ ] private --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: authorized access by url alone?
If you want to use standard OAuth libraries, use a full set of credentials: consumer key and consumer secret, token and token secret. It's more than you need, but some libraries require it all. If you need help using a specific library, this is a pretty good place to ask. On Apr 14, 10:32 pm, pkeane pjke...@gmail.com wrote: Assuming I (i.e., the web app) can get the access token, is it possible to construct a URL that can be placed in an i...@src in the rendered html to allow the browser to access a restricted image? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---