[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wsrp-wsia] Minutes for 06 March 2003 Meeting
My comments inline. Regards, Subbu Andre Kramer wrote: > What if the user bookmarks the resource URL? Must the consumer do an > initCookie() first and fake some call to store a UserContext in the (new) > JSESSSION? And we did not yet say cookies have to be shared both ways (SOAP Good point. This is getting further into the security domain. To solve this, the consumer will somehow have to identify that the resource requires some form of authorization. When the user bookmarks the resource URL and activates it again, and if the consumer determines that the resource does not require authorization, we're clear. If the consumer determines otherwise, the consumer will have to authenticate the user, and propagate the same to the producer before asking for the resource. This is purely a security issue. > <--> http GET/POST). What if the consumer sends different UserContexts for > two portlets sharing the http session? I think such interplay with our WSRP > context does mean we need to (if we don't fix it now) re-visit this post > 1.0. If a producer implementation chooses to map user context to user identity, the producer will have to switch the identity the moment it sees a different user context. In fact, a web container may even terminate the current session, and setup a new session. But, I would argue that this is a security issue and implementation specific. > For now, I would make resource URLs work the same way as URLs that come > direct from the Web user agent (don't rely on cookies; encode the session id > in URLs; and hope you can get at all the Web Application / J2EE / Portlet / > WSRP data). Post 1.0 (taking Rich's advice on 1.0), I see a > getPortletResource operation as a *contract* for this functionality. I agree. ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]