Security Minutes 2009-02-18

From MemberWiki

Jump to: navigation, search

URL: http://www.openajax.org/member/wiki/Security_Minutes_2009-02-18

Attendees

  • Bertrand Le Roy - MS
  • Javier Pedemonte - IBM
  • David Boloker - IBM
  • Jon Ferraiolo - IBM
  • Suresh Chari - IBM

Minutes

JonF mentioned that the OpenSocial meeting originally scheduled for March is now postponed Original schedule of weekly calls based on completing some parts of discussion before OpenSocial meeting. We'll go back to calls every other week.

Bertrand mentioned that LiveId will support OpenID and is interested in the Openid scenario.

Javier implemented a fake gadget which loads and then does a redirection to get the real gadget This can be used in the SAML scenario where the fake gadget gets SAML token and gets the real gadget. Discovered some issues in the SMash provider, where widgets timed out while waiting for user to authenticate. The demo had to comment out some code for URI verification at load and unload, but pretty sure this was just being extra careful and not really necessary. Sample persists a cookie to prove that feature, likely needed by SAML, but not used in the demo.

General approach to authentication seems to be: Load a fake gadget which authenticates and then loads the real one. Three possibilities:

(a) fake gadget does NOT do hub connection. relies on quickly doing the authentication and then loading the real gadget which does hub connection. Similar to the prototype done by Javier. Issues are that it can cause the timeout to expire.

(b) fake gadget does hub connection, loads real gadget with an initial "loaded" state. Need to think through the security issues here.

(c) fake gadget does hub connection and then acts as a mashup page loading the real gadget in another iframe which overlaps exactly with this one. Additional hub instance as well as another message hop

Talked about whether it might help to define more states in the Hub, but general negative response to that. Want to keep Hub as simple as possible. Complexity is a negative.

Howard mentioned at last week's phone call that he had a possible solution in this area.

Javier will prototype this scenario to investigate efficiency issues.

Will discuss these and explore if other solutions exist in the next call.

Retrieved from "http://www.openajax.org/member/wiki/Security_Minutes_2009-02-18"
Personal tools