Comments on: Enterprise RSS and security

By: gregr

gregr — Wed, 22 Apr 2009 23:47:53 +0000

Rob: I have a blog post here:

http://www.rassoc.com/gregr/weblog/2005/09/28/rss-security-part-deux-web-based-aggregators/

which describes how NewsGator Online behaves with feeds that require credentials. Bottom line, as long as you don’t try to put the credentials on the URL, and as long as the feed actually requires credentials (as opposed to a “secret URL”), it should be fine.

By: Rob

Rob — Tue, 21 Apr 2009 21:21:29 +0000

Are the secure RSS feeds in NewsGator Online handled the same way as your enterprise system? I ask because I’d like to use NGO to replace Google Reader it lets me access the fxphd.com forum RSS feeds. However, the fxphd folks are conserned about the secruity of their data in any on-line news aggregator.

Can you comment on this thirt party RSS security question in NewsGator Online. (I’ve posted this question in the forum also.)

Peace,

Rob:-]

By: gregr

gregr — Thu, 18 Dec 2008 17:13:25 +0000

@Peter, it’s done with HTTP headers in the feed response. I’ll follow up with you via email.

By: Peter Verhoeven

Peter Verhoeven — Thu, 18 Dec 2008 11:55:44 +0000

Hi Greg,

Thanks a lot for addressing my concerns about missing security features in Enterprise RSS tools.

You wrote:
“So, in NGES 3.x, it will actually look for a specific header in the feed that basically says “this feed will be the same for everyone.” If it sees that header, it will still individually authorize access for every user trying to access the feed, but it will only retrieve and store the content once.”

In terms of functionality, this seems to be exact the feature we request.
In terms of technical implementation I’m curious, how the “this feed will be the same for everyone.” header can be added?

If this can be done within NGES I think it will be a great new feature to share secure RSS feeds.

By: gregr

gregr — Thu, 18 Dec 2008 00:33:52 +0000

@Gavin – perhaps, but not in every case. For example – if you and I both go to gmail.com, it’s the same URL, but we’re going to see different content. The same is true for any given resource that requires authentication – it’s not guaranteed to be the same for all users.

A more enterprisey example might be a given list in SharePoint – perhaps all users have access to see the list (and thus the feed for the list), but only members of the “Accounting” group can see one extra article in that list. Same URL, but different content.

By: Gavin Terrill

Gavin Terrill — Wed, 17 Dec 2008 23:23:51 +0000

Isn’t the fundamental problem url abuse? If a feed returns different data (i.e. a different resource) depending on who is accessing it, it should provide a different url for that resource. E.g. instead of just ‘/feeds/toiletblog/’, it should be ‘/feeds/toiletblog/jplumber’ etc.