OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [wsrp] Re: Q about resource usage with http post



Hi Andre,

I think if the user-agent requests a POST and the POST for some reason
cannot be tunneled through a firewall, the operation should just fail (same
as it would without the presence of a consumer/portlet). I think it is an
error for the consumer to instead issue a GET request (which is what we see
when testing with WSRP4J).
There're also security issues: A user-agent's POST that is proxied as a GET
by a consumer may expose information that would have been visible
otherwise, especially when using SSL.

Also, personally, I would be surprised if there were potential firewall
issues specifically with POST requests for two reasons:
1. A POST is not inheritly different from a GET, both are a basically a
stream of bytes sent via HTTP. POSTs are encoded differently, but that is
it.
2. It would not make sense, IMHO, for a firewall to filter POSTs but not
GETs (assuming you have a layer 4 firewall that does protocol introspection
to begin with). Both can be used to transmit information through a firewall
in just the same way. A firewall may choose to block port 80 to all or some
some internal hosts, but that would involve both POSTs and GETs.

Thanks.

-- Lars



                                                                                                                                 
                      "Andre Kramer"                                                                                             
                      <andre.kramer@eu.        To:       "'Rich Thompson'" <richt2@us.ibm.com>, wsrp@lists.oasis-open.org        
                      citrix.com>              cc:       (bcc: Lars Hofhansl/PeopleSoft)                                         
                                               Subject:  RE: [wsrp] Re: Q about resource usage with http post                    
                      09/24/2004 12:50                                                                                           
                      AM                                                                                                         
                                                                                                                                 
                                                                                                                                 





One reason that consumer proxying using the same HTTP verb is not mandated
is that some firewall policies may not allow egress of POSTs. Resource URLs
are just a best effort way to tunnel through (i.e. subvert)  firewalls and
we are looking to add a "getResource" operation for 2.0 so that all
consumer / producer traffic can be over SOAP and I had wondered about
whether input data is required for this use case.

Regards,
Andre


From: Rich Thompson [mailto:richt2@us.ibm.com]
Sent: 23 September 2004 20:20
To: wsrp@lists.oasis-open.org
Subject: Re: [wsrp] Re: Q about resource usage with http post


As I read your first paragraph, I also went to using the concept of
resources as the right way to accomplish what you need (i.e. the updated
fragment is a resource from the Consumer's point of view). Is there a
particular reason the information you want to transfer has to be via http
post rather than get? This sounds a lot like some of the things I did in a
previous research project, but we used http get for all the transfers.

Rich



                                                                          
 lars_hofhansl@peoplesoft.com                                             
                                                                          
                                                                          
 09/23/2004 02:35 PM                                                   To 
                                       wsrp@lists.oasis-open.org          
                                                                       cc 
                                                                          
                                                                  Subject 
                                       [wsrp] Re: Q about resource usage  
                                       with http post                     
                                                                          
                                                                          
                                                                          
                                                                          
                                                                          
                                                                          
                                                                          
                                                                          
                                                                          
                                                                          





In our case we are implementing a mechanims for "selective page refresh"
using DHTML. I.e. we have to completely bypass the Portlet Interaction
model. There seems to be no specific provision for this in the WSRP Spec
(V1). For example performBlockingAction() either has to return the complete
markup or it has to be followed by getMarkup(), we can't just return some
change information and partially update a portlet. (I realize that when
multiple portlets are displayed by a Consumer and one of the portlets needs
to be re-rendered that the Consumer may re-render all portlet, which breaks
our selective refresh paradigm for that case.)

For these reasons we're trying to POST to resourceURL in order to handle
our data exchange, then update the representation using DHTML based on the
exchanged information without triggering any (Consumer visible) refreshes
in the Consumer.

Now, the V1 WSRP spec in 10.2.1.1.3.1 says that the cosumer is "encouraged
to use the same communication style (e.g. HTTP Get or POST)" that was used
by the user-agent. That does not seem to mandate that behavior and thus we
cannot assume that all Consumers will indeed behave that way.

Thanks.

-- Lars




Rich Thompson wrote:

I don't know of cases where people have used http post in this manner, but
the spec anticipates that such cases may exist and allows the markup to
specify use of post with the requirement that the Consumer then also use
post when passing the request on to the resource url. This keeps the
Consumer truly acting as a proxy for these resources.

Rich


ricky_frost@peoplesoft.com


09/21/2004 05:36 PM                                                    To
                                        wsrp@lists.oasis-open.org
                                                                       cc

                                                                  Subject
                                        [wsrp] Q about resource usage
                                        with http post
















Is HTTP post supported for resource operations according to the spec? My
reading of it points to an ambiguous statement to that effect on pg 62,
section 10.2.1.1.3.1

Thanks



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php

.











To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php
.






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]