OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [wsrp] Re: Q about resource usage with http post



Agreed. It's SOAP vs REST, and for REST it definitely makes sense to filter
on HTTP methods.
This, however, provides even more reason for the Consumer to not change the
method requested by the user-agent.

In the short term, if the consumer would carry forward the same HTTP
methods as requested by the user-agent, we can at least implement reliable
proxied behavior for our Selective Page Refresh (as reminder, we use DHTML
to update the page based on commands returned by the server, without
refreshing the page).
The new getResource proposal may simplify this, although there may be issue
with requiring the user-agent to sign-up with a web-service; I have to
study this a little more.

In the long-term, however, using resources for this purpose is more a
cludge than a solution. I would hope for better integration with dynamic
clients (DTHML/Applets, etc). DHTML/Applets can not - in general - be
rerendered by just caching and reapplying the markup, because of internal
state kept at the client.

Also, as long as we're talking about web-browsers, many of the consumers
tasks could actually be carried out directly in the user-agent (such as
content aggregation, state-management, and portlet communication).
This could be integrated in a client side JavaScript API... I know some
will *shudder* at the mentioning of the J-Word now. I come from a Java/C++
server side school aswell, but I have since learned to appreciate the value
of JavaScript and offloading selected logic into the user-agent.

-- Lars




                                                                                                                                            
                      "Conroy, Scott"                                                                                                       
                      <Scott.Conroy@constel        To:       lars_hofhansl@peoplesoft.com, andre.kramer@eu.citrix.com                       
                      lation.com>                  cc:       "Rich Thompson" <richt2@us.ibm.com>, wsrp@lists.oasis-open.org                 
                                                   Subject:  RE: [wsrp] Re: Q about resource usage with http post                           
                      11/05/2004 09:04 AM                                                                                                   
                                                                                                                                            
                                                                                                                                            





I tend to disagree about blocking/allowing Gets/Posts.  Layer 4+ devices
and web servers are more frequently blocking specific HTTP verbs.
Designing apps in a way that all GETs are reads, all POSTS are updates,
PUTS are inserts, and DELETES are deletes is becoming an architectural
best practice (though it remains uncommon so far).  I have a few apps
that are designed in this way.

I do agree with your point about erroring out rather than converting the
verb.

~Scott

-----Original Message-----
From: lars_hofhansl@peoplesoft.com [mailto:lars_hofhansl@peoplesoft.com]

Sent: Friday, September 24, 2004 1:22 PM
To: andre.kramer@eu.citrix.com
Cc: 'Rich Thompson'; wsrp@lists.oasis-open.org
Subject: RE: [wsrp] Re: Q about resource usage with http post



Hi Andre,

I think if the user-agent requests a POST and the POST for some reason
cannot be tunneled through a firewall, the operation should just fail
(same as it would without the presence of a consumer/portlet). I think
it is an error for the consumer to instead issue a GET request (which is
what we see when testing with WSRP4J). There're also security issues: A
user-agent's POST that is proxied as a GET by a consumer may expose
information that would have been visible otherwise, especially when
using SSL.

Also, personally, I would be surprised if there were potential firewall
issues specifically with POST requests for two reasons: 1. A POST is not
inheritly different from a GET, both are a basically a stream of bytes
sent via HTTP. POSTs are encoded differently, but that is it. 2. It
would not make sense, IMHO, for a firewall to filter POSTs but not GETs
(assuming you have a layer 4 firewall that does protocol introspection
to begin with). Both can be used to transmit information through a
firewall in just the same way. A firewall may choose to block port 80 to
all or some some internal hosts, but that would involve both POSTs and
GETs.

Thanks.

-- Lars





                      "Andre Kramer"

                      <andre.kramer@eu.        To:       "'Rich
Thompson'" <richt2@us.ibm.com>, wsrp@lists.oasis-open.org
                      citrix.com>              cc:       (bcc: Lars
Hofhansl/PeopleSoft)
                                               Subject:  RE: [wsrp] Re:
Q about resource usage with http post
                      09/24/2004 12:50

                      AM










One reason that consumer proxying using the same HTTP verb is not
mandated is that some firewall policies may not allow egress of POSTs.
Resource URLs are just a best effort way to tunnel through (i.e.
subvert)  firewalls and we are looking to add a "getResource" operation
for 2.0 so that all consumer / producer traffic can be over SOAP and I
had wondered about whether input data is required for this use case.

Regards,
Andre


From: Rich Thompson [mailto:richt2@us.ibm.com]
Sent: 23 September 2004 20:20
To: wsrp@lists.oasis-open.org
Subject: Re: [wsrp] Re: Q about resource usage with http post


As I read your first paragraph, I also went to using the concept of
resources as the right way to accomplish what you need (i.e. the updated
fragment is a resource from the Consumer's point of view). Is there a
particular reason the information you want to transfer has to be via
http post rather than get? This sounds a lot like some of the things I
did in a previous research project, but we used http get for all the
transfers.

Rich





 lars_hofhansl@peoplesoft.com





 09/23/2004 02:35 PM
To
                                       wsrp@lists.oasis-open.org


cc



Subject
                                       [wsrp] Re: Q about resource usage

                                       with http post


























In our case we are implementing a mechanims for "selective page refresh"
using DHTML. I.e. we have to completely bypass the Portlet Interaction
model. There seems to be no specific provision for this in the WSRP Spec
(V1). For example performBlockingAction() either has to return the
complete markup or it has to be followed by getMarkup(), we can't just
return some change information and partially update a portlet. (I
realize that when multiple portlets are displayed by a Consumer and one
of the portlets needs to be re-rendered that the Consumer may re-render
all portlet, which breaks our selective refresh paradigm for that case.)

For these reasons we're trying to POST to resourceURL in order to handle
our data exchange, then update the representation using DHTML based on
the exchanged information without triggering any (Consumer visible)
refreshes in the Consumer.

Now, the V1 WSRP spec in 10.2.1.1.3.1 says that the cosumer is
"encouraged to use the same communication style (e.g. HTTP Get or POST)"
that was used by the user-agent. That does not seem to mandate that
behavior and thus we cannot assume that all Consumers will indeed behave
that way.

Thanks.

-- Lars




Rich Thompson wrote:

I don't know of cases where people have used http post in this manner,
but the spec anticipates that such cases may exist and allows the markup
to specify use of post with the requirement that the Consumer then also
use post when passing the request on to the resource url. This keeps the
Consumer truly acting as a proxy for these resources.

Rich


ricky_frost@peoplesoft.com


09/21/2004 05:36 PM
To
                                        wsrp@lists.oasis-open.org

cc


Subject
                                        [wsrp] Q about resource usage
                                        with http post
















Is HTTP post supported for resource operations according to the spec? My
reading of it points to an ambiguous statement to that effect on pg 62,
section 10.2.1.1.3.1

Thanks



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgrou
p.php

.











To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgrou
p.php
.





To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgrou
p.php.




>>> The information contained in this e-mail transmission is privileged
and/or confidential intended solely for the exclusive use of the individual
addressee. If you are not the intended addressee you are hereby notified
that any retention, disclosure or other use is strictly prohibited. If you
have received this notification in error, please immediately contact the
sender and delete the material.








[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]