Subject: RE: [wsrp] Re: Q about resource usage with http post
Hi Andre, I think if the user-agent requests a POST and the POST for some reason cannot be tunneled through a firewall, the operation should just fail (same as it would without the presence of a consumer/portlet). I think it is an error for the consumer to instead issue a GET request (which is what we see when testing with WSRP4J). There're also security issues: A user-agent's POST that is proxied as a GET by a consumer may expose information that would have been visible otherwise, especially when using SSL. Also, personally, I would be surprised if there were potential firewall issues specifically with POST requests for two reasons: 1. A POST is not inheritly different from a GET, both are a basically a stream of bytes sent via HTTP. POSTs are encoded differently, but that is it. 2. It would not make sense, IMHO, for a firewall to filter POSTs but not GETs (assuming you have a layer 4 firewall that does protocol introspection to begin with). Both can be used to transmit information through a firewall in just the same way. A firewall may choose to block port 80 to all or some some internal hosts, but that would involve both POSTs and GETs. Thanks. -- Lars "Andre Kramer" <andre.kramer@eu. To: "'Rich Thompson'" <email@example.com>, firstname.lastname@example.org citrix.com> cc: (bcc: Lars Hofhansl/PeopleSoft) Subject: RE: [wsrp] Re: Q about resource usage with http post 09/24/2004 12:50 AM One reason that consumer proxying using the same HTTP verb is not mandated is that some firewall policies may not allow egress of POSTs. Resource URLs are just a best effort way to tunnel through (i.e. subvert) firewalls and we are looking to add a "getResource" operation for 2.0 so that all consumer / producer traffic can be over SOAP and I had wondered about whether input data is required for this use case. Regards, Andre From: Rich Thompson [mailto:email@example.com] Sent: 23 September 2004 20:20 To: firstname.lastname@example.org Subject: Re: [wsrp] Re: Q about resource usage with http post As I read your first paragraph, I also went to using the concept of resources as the right way to accomplish what you need (i.e. the updated fragment is a resource from the Consumer's point of view). Is there a particular reason the information you want to transfer has to be via http post rather than get? This sounds a lot like some of the things I did in a previous research project, but we used http get for all the transfers. Rich email@example.com 09/23/2004 02:35 PM To firstname.lastname@example.org cc Subject [wsrp] Re: Q about resource usage with http post In our case we are implementing a mechanims for "selective page refresh" using DHTML. I.e. we have to completely bypass the Portlet Interaction model. There seems to be no specific provision for this in the WSRP Spec (V1). For example performBlockingAction() either has to return the complete markup or it has to be followed by getMarkup(), we can't just return some change information and partially update a portlet. (I realize that when multiple portlets are displayed by a Consumer and one of the portlets needs to be re-rendered that the Consumer may re-render all portlet, which breaks our selective refresh paradigm for that case.) For these reasons we're trying to POST to resourceURL in order to handle our data exchange, then update the representation using DHTML based on the exchanged information without triggering any (Consumer visible) refreshes in the Consumer. Now, the V1 WSRP spec in 10.2.1.1.3.1 says that the cosumer is "encouraged to use the same communication style (e.g. HTTP Get or POST)" that was used by the user-agent. That does not seem to mandate that behavior and thus we cannot assume that all Consumers will indeed behave that way. Thanks. -- Lars Rich Thompson wrote: I don't know of cases where people have used http post in this manner, but the spec anticipates that such cases may exist and allows the markup to specify use of post with the requirement that the Consumer then also use post when passing the request on to the resource url. This keeps the Consumer truly acting as a proxy for these resources. Rich email@example.com 09/21/2004 05:36 PM To firstname.lastname@example.org cc Subject [wsrp] Q about resource usage with http post Is HTTP post supported for resource operations according to the spec? My reading of it points to an ambiguous statement to that effect on pg 62, section 10.2.1.1.3.1 Thanks To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php . To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php .