OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-wsia message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [wsrp-wsia] [change request #138] Transferring information toproxied resources

I think we can just extend this one, basically a new section between 10.3 
and 10.4 with forward references from sections 10.2.1.1.4 and 10.2.2.7. 
Something like "Using Resources".

Rich Thompson




Michael Freedman <Michael.Freedman@oracle.com>
02/12/2003 01:47 PM
 
        To:     wsrp-wsia@lists.oasis-open.org
        cc: 
        Subject:        Re: [wsrp-wsia] [change request #138] Transferring 
information to proxied resources


I had already assumed that cookies had to be provided according to 
cookie domain rules -- but yes its probably worth the clarification. 
 Also just remembered that in addition to this information we probably 
need a way to transfer the rewrite templates to the resource as well so 
it can generate new links that are proxied.  Can you just make a note to 
extend this item or should I open a new one?
     -Mike-

Rich Thompson wrote:

>Document: Spec
>Section:  10.3.3
>Page/Line: New section
>Requested by: Mike Freedman
>Old text:
>New text: New section describing how userContext/Profile information is 
>passed to resources.
>
>Reasoning:  Specification doesn't define how a portlet can transfer 
>userContext/Profile information to proxied resources.  As I don't recall 
>ever discussing it I want to find out if it should be left as is -- i.e. 
>an exercise for the portlet developer or we should define special http 
>headers to carry this information.  The problem with the former [current 
>model] is that this information will commonly be carried all the way back 

>to the client and appear in plain text in the browser URL -- folks may 
>freak seeing their UserId of personal profile information in a browser 
>URL.  If we define specific headers to carry this we not only make it 
easy 
>for the portlet developer as they don't have to encode/decode URLs but 
>also achieve more safety as this information is only represented between 
>the consumer and the producer.  Note: if we go this later route we will 
>probably want to add a boolean or two to the resourceURL 
consumer/producer 
>mechanism so they can control whether this information needs to be past 
or 
>not [optimization].
>
>[RT] Good point on providing this type of guidance. There are significant 

>security and privacy issues in having this information appear either in 
>the URL or headers. Another alternative would be to suggest using an 
>indirection in the URL which allows the resource to locate the 
information 
>(likely an indication of the sessionID). This allows locating any 
>information the Portlet is willing to make available. Should we also 
>discuss whether cookies have to be connected back to the proxied resource 

>the same as to the Portlet?
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>
> 
>



----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC