[JDEV] Discussion of transports?
Joe Hildebrand
JHildebrand at jabber.com
Wed Sep 24 17:04:37 CDT 2003
Robert Norris writes:
> - Suitable access controls are required. Obviously, it won't do to
> allow anyone to change anyone elses roster. One thought we
> had is to
> restrict operations based on the transport JID (domain) - ie, the
> transport can only set roster items of its own users, and when a
> roster is retrieved, it only receives items for its own users.
> This may not be a good idea, however, as not all servers are
> transports - do I really want a remote (Jabber) server to
> be able to
> modify the contacts on my roster for its own users?
Even if you allowed transports to do this, there should probably be an
access-control check. I can't think of a good (secure) way to do that such
that I can be a user on server A, and access a transport running on server
B.
Aside from the S2S thing, you could get there with today's servers by having
the transport start a session on behalf of the user, retrieve the roster,
and then do roster sets/presence subscribes. The roster pushes would then
happen automatically to other sessions.
--
Joe Hildebrand
More information about the JDev
mailing list