Re: Security in Onebox - Jeff Ragusa - com.googlegroups.google-enterprise-developer

3 messages in com.googlegroups.google-enterprise-developerRe: Security in Onebox

From	Sent On	Attachments
davi...@cummins.com	13 Jun 2006 14:27
Nitin Mangtani	13 Jun 2006 14:43
Jeff Ragusa	17 Jun 2006 13:18

Subject:	Re: Security in Onebox
From:	Jeff Ragusa (jrag...@google.com)
Date:	06/17/2006 01:18:32 PM
List:	com.googlegroups.google-enterprise-developer

Your OneBox provider will receive user identity information in the URL. However the form of this identity will depend on how the module is configured. It could be (1) a simple username and password, (2) an LDAP distinguised name, or (3) the name of a cookie passed in the request header.

In cases (2) and (3) the user has already been authenticated so your provider code only has to check against the user's access priviledges to determine what data to return. In case (1) you should authenticate the user by checking the password (to make sure they are who they say they are) before checking the access priviledges.

If your application is outside of the customer environment then case (1) may be your only option (since you may not be able to determine the user's identity from the customers LDAP server or from a cookie set by the customer's single sign-on system).

An additional security option at your disposal is to specify that you'd like to authenticate the GSA itself using HTTP Basic Authentication (by contrast the previous paragraphs were about authenticating and authorizing the end user). In this case the GSA's credentials will come in the request header as specified by the w3c spec (http://www.w3.org/Protocols/HTTP/1.0/draft-ietf-http-spec.html#BasicAA).

Hope that helps -Jeff