OK, a couple of thoughts about this, having done similar stuff for Sloodle... This'll be a bit long...
There are basically 2 approaches here.
A) Use avatar names and/or keys, sent to the server by a trusted object.
1. First, find a way for Joomla to know it can trust an object in SL.
2. Second, find a way to tie a Joomla account to an SL avatar name.
B) Use Joomla-account-specific login credentials (Joomla username/password or something else) known only to that user every time the user interacts with Joomla.
Looking at mechanisms for each one in turn:
A1) Trusting an object. Options would be:
- a) Set a special password on the Joomla side and put that in your object. (in Sloodle this is either a site-wide "prim password" or an "object-specific session key" that gets created when an administrator approves an object)
- b) Keep a list of Linden Lab IP addresses (or do some DNS lookups to confirm that a request comes from the Linden Lab servers) and rely on the header information used in HTTP requests from SL. For instance, if tell Joomla avatar names of avatars you trust, you can then have it trust any object owned by that avatar.
- c) Life's too short and we like to live dangerously. Just trust any object that can figure out where our Joomla server lives.
A2) Linking the avatar name / uuid with the Joomla account
- a) With the RegAPI, you can create your SL account in Joomla and get back the uuid of the user you've created. (I think you're already doing this?)
- b) If the user isn't registered in Joomla, you can have your trusted object register them automatically in Joomla with their avatar name. (We do this in Sloodle if the system administrator turns it on.)
- c) If the user may already be registered in both and is using the system from SL, you can send open a URL with a special code attached so that with they login / register in Joomla, Joomla knows which avatar they. (We do this in Sloodle if automatic registration is off.)
- d) If the user may already be registered in both and is using the system from the web, you can create an SLURL sending them to a particular point in space temporarily assigned especially to them. You can then detect when an avatar turns up at that point on the SL side, and link to their avatar. (We do this in Sloodle. The disadvantage is that it requires you to have turned your teleport hub off.)
B) Use Joomla-account-specific login credentials.
Instead of figuring out how to trust an object, then figuring out how to link an avatar, you combine the two: An object opens a URL containing its uuid, the avatar logs into Joomla and confirms they trust it, Joomla sends a session key to the object allowing it to act as the user in subsequent requests.
This is closer to the approach used in normal web transactions; We don't try to trust the user agent (the browser) or the user specifically; We just see if the browser/user can give us a genuine username/password, and if they can we give them a session key to use from then on (or until they timeout).
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment