OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-wsia message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [wsrp-wsia] [change request #138] Transferring information toproxied resources


I had already assumed that cookies had to be provided according to 
cookie domain rules -- but yes its probably worth the clarification. 
 Also just remembered that in addition to this information we probably 
need a way to transfer the rewrite templates to the resource as well so 
it can generate new links that are proxied.  Can you just make a note to 
extend this item or should I open a new one?
     -Mike-

Rich Thompson wrote:

>Document: Spec
>Section:  10.3.3
>Page/Line: New section
>Requested by: Mike Freedman
>Old text:
>New text: New section describing how userContext/Profile information is 
>passed to resources.
>
>Reasoning:  Specification doesn't define how a portlet can transfer 
>userContext/Profile information to proxied resources.  As I don't recall 
>ever discussing it I want to find out if it should be left as is -- i.e. 
>an exercise for the portlet developer or we should define special http 
>headers to carry this information.  The problem with the former [current 
>model] is that this information will commonly be carried all the way back 
>to the client and appear in plain text in the browser URL -- folks may 
>freak seeing their UserId of personal profile information in a browser 
>URL.  If we define specific headers to carry this we not only make it easy 
>for the portlet developer as they don't have to encode/decode URLs but 
>also achieve more safety as this information is only represented between 
>the consumer and the producer.  Note: if we go this later route we will 
>probably want to add a boolean or two to the resourceURL consumer/producer 
>mechanism so they can control whether this information needs to be past or 
>not [optimization].
>
>[RT] Good point on providing this type of guidance. There are significant 
>security and privacy issues in having this information appear either in 
>the URL or headers. Another alternative would be to suggest using an 
>indirection in the URL which allows the resource to locate the information 
>(likely an indication of the sessionID). This allows locating any 
>information the Portlet is willing to make available. Should we also 
>discuss whether cookies have to be connected back to the proxied resource 
>the same as to the Portlet?
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>
>  
>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC