[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Security question/concern on resource URLs
When using producer url rewriting (templates) and using 1.0 style
resource proxying, the producer fills in the resource template and
replaces the {wsrp-url} with the absolute URL to the resource. This is
rendered and sent to the browser, creating a URL like
http://consumer/resourceServlet?wsrp-url=http%3A%2F%2FresourceHost%2fresourcePath&wsrp-rewrite=true.
The problem is on the browser client-side scripting (or manual editing)
may be used to rewrite this URL to point to a different resource. Is
there anyway to prevent this?
Presumably when using consumer rewriting the consumer MAY use an
entirely different URL scheme which replaces the resource URL with an
id. Also, the 2.0 resource operation may be used similarly, but managed
by the producer.
Any thoughts on this?
On the other hand, URL rewriting is commonly used for RIA application
(e.g. REST urls). Is there anyway to support both?
Nate
Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]