[ https://issues.jboss.org/browse/RTGOV-59?page=com.atlassian.jira.plugin.s... ] Eric Wittmann commented on RTGOV-59: ------------------------------------ After looking into this a bit I'm not too sure how to proceed. The Overlord RTGov REST services are invoked from their respective gadgets via the gadget IO layer provided by the shindig gadget server. Here's how this works: 1) The shindig server provides container.js to the host page in gadget-web 2) The container.js includes a "makeRequest" function in gadgets.io (a javascript function for making JSON REST calls) 3) A gadget invokes a REST endpoint by calling gadgets.io.makeRequest(), passing the args and the URL of the REST service 4) The javascript function invokes a servlet found in gadget-server (MakeRequestServlet) 5) The makeRequest servlet in turn invokes the actual REST endpoint (e.g. in overlord-rtgov) 6) The REST endpoint responds with JSON 7) The makeRequest receives the JSON data and wraps it into a response object, returning it to the client-side gadgets.io.makeRequest() handler 8) The gagdet's callback is invoked with the response payload Security considerations are many and varied. First note that user logins will occur on the gadget-web context. This is where SSO, for example, is configured (so that users must login before accessing the gadget UI). The container.js javascript is served out of the gadget-server web context, along with the data services (MakeRequestServlet) provided by it. The gadgets themselves are served out of yet another context, "gadgets". I don't believe this is relevant, since the gadgets always go through the gadget-server's IO layer. Additionally, the Overlord RTGov REST endpoints exist in the overlord-rtgov web context. Ultimately we want to secure the REST services in overlord-rtgov in such a way that the MakeRequestServlet in the gadget-server web context can securely invoke them. Also note that currently the gadget-server context is not secured, which implies that its endpoints could be invoked directly (e.g. makeRequest). It's likely that this also needs to be addressed. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira