OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wsrp] Re: Q about resource usage with http post

Title: RE: [wsrp] Re: Q about resource usage with http post

Well, if it's a question of what we view as normal in firewall deployments (and my experience does not concur with your 2 below) then direct communication (or via http proxies) between the browser and the "producer" should be possible in most cases (and not require any http proxying by WSRP consumers). [Also, using URL re-writing or templates, it should be possible for a wsrp consumer to direct resource requests via another off-the-shelf http proxy.]

I would be interested in understanding why the performBlockingInteraction operation can not be used to "POST" data. We previously considered a form that explicitly relaxed the strict blocking semantics (called performInteraction) and, as I previously mentioned, are considering a "getPortletResource" operation to allow MIME content to be retrieved over SOAP.

These would allow all consumer to producer "gets" and "posts" interactions to be mediated by WSRP / SOAP but can they address your user agent requirements?


-----Original Message-----
From: lars_hofhansl@peoplesoft.com [mailto:lars_hofhansl@peoplesoft.com]
Sent: 24 September 2004 18:22
To: andre.kramer@eu.citrix.com
Cc: 'Rich Thompson'; wsrp@lists.oasis-open.org
Subject: RE: [wsrp] Re: Q about resource usage with http post

Hi Andre,

I think if the user-agent requests a POST and the POST for some reason
cannot be tunneled through a firewall, the operation should just fail (same
as it would without the presence of a consumer/portlet). I think it is an
error for the consumer to instead issue a GET request (which is what we see
when testing with WSRP4J).
There're also security issues: A user-agent's POST that is proxied as a GET
by a consumer may expose information that would have been visible
otherwise, especially when using SSL.

Also, personally, I would be surprised if there were potential firewall
issues specifically with POST requests for two reasons:
1. A POST is not inheritly different from a GET, both are a basically a
stream of bytes sent via HTTP. POSTs are encoded differently, but that is
2. It would not make sense, IMHO, for a firewall to filter POSTs but not
GETs (assuming you have a layer 4 firewall that does protocol introspection
to begin with). Both can be used to transmit information through a firewall
in just the same way. A firewall may choose to block port 80 to all or some
some internal hosts, but that would involve both POSTs and GETs.


-- Lars


                      "Andre Kramer"                                                                                            

                      <andre.kramer@eu.        To:       "'Rich Thompson'" <richt2@us.ibm.com>, wsrp@lists.oasis-open.org       

                      citrix.com>              cc:       (bcc: Lars Hofhansl/PeopleSoft)                                        

                                               Subject:  RE: [wsrp] Re: Q about resource usage with http post                   

                      09/24/2004 12:50                                                                                          




One reason that consumer proxying using the same HTTP verb is not mandated
is that some firewall policies may not allow egress of POSTs. Resource URLs
are just a best effort way to tunnel through (i.e. subvert)  firewalls and
we are looking to add a "getResource" operation for 2.0 so that all
consumer / producer traffic can be over SOAP and I had wondered about
whether input data is required for this use case.


From: Rich Thompson [mailto:richt2@us.ibm.com]
Sent: 23 September 2004 20:20
To: wsrp@lists.oasis-open.org
Subject: Re: [wsrp] Re: Q about resource usage with http post

As I read your first paragraph, I also went to using the concept of
resources as the right way to accomplish what you need (i.e. the updated
fragment is a resource from the Consumer's point of view). Is there a
particular reason the information you want to transfer has to be via http
post rather than get? This sounds a lot like some of the things I did in a
previous research project, but we used http get for all the transfers.


 09/23/2004 02:35 PM                                                   To
                                       [wsrp] Re: Q about resource usage 
                                       with http post                    

In our case we are implementing a mechanims for "selective page refresh"
using DHTML. I.e. we have to completely bypass the Portlet Interaction
model. There seems to be no specific provision for this in the WSRP Spec
(V1). For example performBlockingAction() either has to return the complete
markup or it has to be followed by getMarkup(), we can't just return some
change information and partially update a portlet. (I realize that when
multiple portlets are displayed by a Consumer and one of the portlets needs
to be re-rendered that the Consumer may re-render all portlet, which breaks
our selective refresh paradigm for that case.)

For these reasons we're trying to POST to resourceURL in order to handle
our data exchange, then update the representation using DHTML based on the
exchanged information without triggering any (Consumer visible) refreshes
in the Consumer.

Now, the V1 WSRP spec in says that the cosumer is "encouraged
to use the same communication style (e.g. HTTP Get or POST)" that was used
by the user-agent. That does not seem to mandate that behavior and thus we
cannot assume that all Consumers will indeed behave that way.


-- Lars

Rich Thompson wrote:

I don't know of cases where people have used http post in this manner, but
the spec anticipates that such cases may exist and allows the markup to
specify use of post with the requirement that the Consumer then also use
post when passing the request on to the resource url. This keeps the
Consumer truly acting as a proxy for these resources.



09/21/2004 05:36 PM                                                    To

                                        [wsrp] Q about resource usage
                                        with http post

Is HTTP post supported for resource operations according to the spec? My
reading of it points to an ambiguous statement to that effect on pg 62,


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]