OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-wsia message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [wsrp-wsia] [change request #138] Transferring information to proxiedresources


Document: Spec
Section:  10.3.3
Page/Line: New section
Requested by: Mike Freedman
Old text:
New text: New section describing how userContext/Profile information is 
passed to resources.

Reasoning:  Specification doesn't define how a portlet can transfer 
userContext/Profile information to proxied resources.  As I don't recall 
ever discussing it I want to find out if it should be left as is -- i.e. 
an exercise for the portlet developer or we should define special http 
headers to carry this information.  The problem with the former [current 
model] is that this information will commonly be carried all the way back 
to the client and appear in plain text in the browser URL -- folks may 
freak seeing their UserId of personal profile information in a browser 
URL.  If we define specific headers to carry this we not only make it easy 
for the portlet developer as they don't have to encode/decode URLs but 
also achieve more safety as this information is only represented between 
the consumer and the producer.  Note: if we go this later route we will 
probably want to add a boolean or two to the resourceURL consumer/producer 
mechanism so they can control whether this information needs to be past or 
not [optimization].

[RT] Good point on providing this type of guidance. There are significant 
security and privacy issues in having this information appear either in 
the URL or headers. Another alternative would be to suggest using an 
indirection in the URL which allows the resource to locate the information 
(likely an indication of the sessionID). This allows locating any 
information the Portlet is willing to make available. Should we also 
discuss whether cookies have to be connected back to the proxied resource 
the same as to the Portlet?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC