[JDEV] Discussion of transports?

Joe Hildebrand JHildebrand at jabber.com
Wed Sep 24 17:04:37 CDT 2003

Robert Norris writes:

>  - Suitable access controls are required. Obviously, it won't do to
>    allow anyone to change anyone elses roster. One thought we 
> had is to
>    restrict operations based on the transport JID (domain) - ie, the
>    transport can only set roster items of its own users, and when a
>    roster is retrieved, it only receives items for its own users.
>    This may not be a good idea, however, as not all servers are
>    transports - do I really want a remote (Jabber) server to 
> be able to
>    modify the contacts on my roster for its own users?

Even if you allowed transports to do this, there should probably be an
access-control check.  I can't think of a good (secure) way to do that such
that I can be a user on server A, and access a transport running on server

Aside from the S2S thing, you could get there with today's servers by having
the transport start a session on behalf of the user, retrieve the roster,
and then do roster sets/presence subscribes.  The roster pushes would then
happen automatically to other sessions.

Joe Hildebrand


More information about the JDev mailing list