Configuring Shindig Locked Domain Support in Apache Rave

Loading

Prerequisites

To follow these instructions you'll need a working copy of Apache Rave up and running under Tomcat 6. Please see the Installing Rave page for instructions on how to get up and running.

Enabling Locked Domain Support in Apache Rave

These instructions demonstrate how to get Apache Shindig locked domain support up and running in Apache Rave. Locked domains take advantage of the web browsers domain-based sandboxing policies to isolate gadgets from each other and the main container page. The Shindig mailing list is a good source of information for more details regarding locked domains.

Enabling locked domain support within Apache Rave is achieved via a combination of DNS and Shindig configuration changes. To fully support locked domain in a production environment you'll likely need to setup and configure your locked domain with wildcard DNS (otherwise you'd have to create manual DNS entries for every single gadget that you want to run on a locked domain). For the purposes of experimenting with locked domain however just adding entries to the "hosts" file for the gadgets on a default Apache Rave page should be sufficient. The Shindig configuration changes required are enabling locked domain support in the top level Shindig configuration and then configuring the individual Shindig container via the container.js file.

The sample locked domain we'll use here will be "-locked.gadgets.example.com".

The default locked domain implementation within Shindig generates locked domain URL's by taking a hash of the gadget specification URL and pre-pending it onto the configured locked domain suffix. Here are the locked domain entries that were added to my local "hosts" file to support the default gadgets on an Apache Rave page at the time this documentation was written:

    127.0.0.1   v6fvvlv3hm7kt7oj96mug1uvrdke6kpg-locked.gadgets.example.com
    127.0.0.1   76r748j1k68i8t7v35r0oakjtb0uvpr3-locked.gadgets.example.com
    127.0.0.1   tqfbbnhq7v3nah5ifshpfrg5i9elegum-locked.gadgets.example.com
    127.0.0.1   fdtj4i7cslo8149tjpt9778jodkds1is-locked.gadgets.example.com

For the Shindig configuration changes please refer to the patch generated from my local changes below. With these changes in place you should be able to fire up Apache Rave, access the default page as one of the sample users and see the locked domains being utilized in the gadget iframe URL's.

Complete diff of modified files follows

    Index: rave-project/rave-shindig/src/main/webapp/WEB-INF/classes/containers/default/container.js
    ===================================================================
    --- rave-project/rave-shindig/src/main/webapp/WEB-INF/classes/containers/default/container.js   (revision 1228369)
    +++ rave-project/rave-shindig/src/main/webapp/WEB-INF/classes/containers/default/container.js   (revision )
    @@ -59,15 +59,15 @@
     "gadgets.parent" : null,

     // Should all gadgets be forced on to a locked domain?
    -"gadgets.uri.iframe.lockedDomainRequired" : false,
    +"gadgets.uri.iframe.lockedDomainRequired" : true,

     // DNS domain on which gadgets should render.
     // Default Uri config: these must be overridden - specified here for testing purposes
    -"gadgets.uri.iframe.unlockedDomain": "${Cur['defaultShindigTestAuthority']}",
    +"gadgets.uri.iframe.unlockedDomain": "localhost:8080",
     // When setting up the server to enable locked domains, you should set this to something that does not
     // attempt to use the authority at all.  Ideally it would be another hostname that points to this server.
     // Example: unlockedDomain="shindig.example.com" lockedDomainSuffix="-locked.gadgets.example.com"
    -"gadgets.uri.iframe.lockedDomainSuffix": "${Cur['defaultShindigTestAuthority']}",
    +"gadgets.uri.iframe.lockedDomainSuffix": "-locked.gadgets.example.com:8080",

     // Origins for CORS requests and/or Referer validation
     // Indicate a set of origins or an entry with * to indicate that all origins are allowed
    @@ -84,11 +84,8 @@
     // jsUriTemplate will have %host% and %js% substituted.
     // No locked domain special cases, but jsUriTemplate must
     // never conflict with a lockedDomainSuffix.
    -"gadgets.jsUriTemplate" : "http://%host%${CONTEXT_ROOT}/gadgets/js/%js%",
    +"gadgets.jsUriTemplate" : "http://${Cur['gadgets.uri.iframe.unlockedDomain']}{CONTEXT_ROOT}/gadgets/js/%js%",

    -"gadgets.uri.js.host" : "http://www.example.com/",
    -"gadgets.uri.js.path" : "${CONTEXT_ROOT}/gadgets/js",
    -
     // Callback URL.  Scheme relative URL for easy switch between https/http.
     "gadgets.uri.oauth.callbackTemplate" : "//%host%${CONTEXT_ROOT}/gadgets/oauthcallback",

    @@ -124,16 +121,16 @@
     "defaultShindigProxyConcatAuthority":"%authority%",

     // Default Js Uri config: also must be overridden.
    -"gadgets.uri.js.host": "//${Cur['defaultShindigTestAuthority']}",
    +"gadgets.uri.js.host": "//${Cur['gadgets.uri.iframe.unlockedDomain']}",
     "gadgets.uri.js.path": "${CONTEXT_ROOT}/gadgets/js",

     // Default concat Uri config; used for testing.
    -"gadgets.uri.concat.host" : "${Cur['defaultShindigProxyConcatAuthority']}",
    +"gadgets.uri.concat.host" : "${Cur['gadgets.uri.iframe.unlockedDomain']}",
     "gadgets.uri.concat.path" : "${CONTEXT_ROOT}/gadgets/concat",
     "gadgets.uri.concat.js.splitToken" : "false",

     // Default proxy Uri config; used for testing.
    -"gadgets.uri.proxy.host" : "${Cur['defaultShindigProxyConcatAuthority']}",
    +"gadgets.uri.proxy.host" : "${Cur['gadgets.uri.iframe.unlockedDomain']}",
     "gadgets.uri.proxy.path" : "${CONTEXT_ROOT}/gadgets/proxy",

     //Enables/Disables feature administration
    @@ -153,7 +150,7 @@
         // Note: /proxy is an open proxy. Be careful how you expose this!
         // Note: Here // is replaced with the current protocol http/https
        //"proxyUrl" : "//%host%${CONTEXT_ROOT}/gadgets/proxy?container=%container%%rewriteMime%&refresh=%refresh%&gadget=%gadget%/%rawurl%",
    -    "proxyUrl" : "//%host%${CONTEXT_ROOT}/gadgets/proxy?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
    +    "proxyUrl" : "//${Cur['gadgets.uri.iframe.unlockedDomain']}${CONTEXT_ROOT}/gadgets/proxy?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
         "jsonProxyUrl" : "//%host%${CONTEXT_ROOT}/gadgets/makeRequest"
       },
       "views" : {
    Index: rave-project/rave-shindig/src/main/resources/rave.shindig.properties
    ===================================================================
    --- rave-project/rave-shindig/src/main/resources/rave.shindig.properties    (revision 1228398)
    +++ rave-project/rave-shindig/src/main/resources/rave.shindig.properties    (revision )
    @@ -96,7 +96,7 @@
     shindig.signing.viewer-access-tokens-enabled=false

     # If enabled here, configuration values can be found in container configuration files.
    -shindig.locked-domain.enabled=false
    +shindig.locked-domain.enabled=true

     # TODO: This needs to be moved to container configuration.
     shindig.content-rewrite.only-allow-excludes=false