[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [wsrp-wsia] [change request #138] Transferring information toproxied resources
I had already assumed that cookies had to be provided according to cookie domain rules -- but yes its probably worth the clarification. Also just remembered that in addition to this information we probably need a way to transfer the rewrite templates to the resource as well so it can generate new links that are proxied. Can you just make a note to extend this item or should I open a new one? -Mike- Rich Thompson wrote: >Document: Spec >Section: 10.3.3 >Page/Line: New section >Requested by: Mike Freedman >Old text: >New text: New section describing how userContext/Profile information is >passed to resources. > >Reasoning: Specification doesn't define how a portlet can transfer >userContext/Profile information to proxied resources. As I don't recall >ever discussing it I want to find out if it should be left as is -- i.e. >an exercise for the portlet developer or we should define special http >headers to carry this information. The problem with the former [current >model] is that this information will commonly be carried all the way back >to the client and appear in plain text in the browser URL -- folks may >freak seeing their UserId of personal profile information in a browser >URL. If we define specific headers to carry this we not only make it easy >for the portlet developer as they don't have to encode/decode URLs but >also achieve more safety as this information is only represented between >the consumer and the producer. Note: if we go this later route we will >probably want to add a boolean or two to the resourceURL consumer/producer >mechanism so they can control whether this information needs to be past or >not [optimization]. > >[RT] Good point on providing this type of guidance. There are significant >security and privacy issues in having this information appear either in >the URL or headers. Another alternative would be to suggest using an >indirection in the URL which allows the resource to locate the information >(likely an indication of the sessionID). This allows locating any >information the Portlet is willing to make available. Should we also >discuss whether cookies have to be connected back to the proxied resource >the same as to the Portlet? > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <http://lists.oasis-open.org/ob/adm.pl> > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC