Re: [wsrp-wsia] Minutes for 06 March 2003 Meeting

[Subbu Allamaraju <subbu@bea.com>]

My comments inline.

Regards,

Subbu

Andre Kramer wrote:
> What if the user bookmarks the resource URL? Must the consumer do an
> initCookie() first and fake some call to store a UserContext in the (new)
> JSESSSION? And we did not yet say cookies have to be shared both ways (SOAP

Good point. This is getting further into the security domain.

To solve this, the consumer will somehow have to identify that the 
resource requires some form of authorization.

When the user bookmarks the resource URL and activates it again, and if 
the consumer determines that the resource does not require 
authorization, we're clear. If the consumer determines otherwise, the 
consumer will have to authenticate the user, and propagate the same to 
the producer before asking for the resource. This is purely a security 
issue.

> <--> http GET/POST). What if the consumer sends different UserContexts for
> two portlets sharing the http session? I think such interplay with our WSRP
> context does mean we need to (if we don't fix it now) re-visit this post
> 1.0.

If a producer implementation chooses to map user context to user 
identity, the producer will have to switch the identity the moment it 
sees a different user context. In fact, a web container may even 
terminate the current session, and setup a new session. But, I would 
argue that this is a security issue and implementation specific.

> For now, I would make resource URLs work the same way as URLs that come
> direct from the Web user agent (don't rely on cookies; encode the session id
> in URLs; and hope you can get at all the Web Application / J2EE / Portlet /
> WSRP data). Post 1.0 (taking Rich's advice on 1.0), I see a
> getPortletResource operation as a *contract* for this functionality.

I agree.


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>