Re: [wsrp-comment] Security question/concern on resource URLs

[Rich Thompson <richt2@us.ibm.com>]

I don't think there is an issue with
resource URIs being REST based. There is an issue with the concepts of
a REST API to the resource as the Consumer is allowed to make choices regarding
how the URI is both rewritten (i.e. parameterization might not be available
in the browser) and even whether or not it is modifiable (e.g. a private
CRC scheme might be used to validate no one has 'tampered' with the URI).
We have begun discussions about a client-side library, but those were tabled
pending a larger community approach (announcement to be made separately).
This is a related issue we thought the TC should handle even if some other
group does the client-side library. Namely; how does the portlet indicate
this URI represents a REST API and therefore will be modified by client-side
code? 

Rich

From:	Nathan E Lipke <nlipke@bea.com>
To:	wsrp-comment@lists.oasis-open.org
Date:	10/22/2007 11:53 AM
Subject:	[wsrp-comment] Security question/concern on resource URLs

---

When using producer url rewriting (templates) and
using 1.0 style 
resource proxying, the producer fills in the resource template and 
replaces the {wsrp-url} with the absolute URL to the resource. This is
rendered and sent to the browser, creating a URL like 
http://consumer/resourceServlet?wsrp-url=http%3A%2F%2FresourceHost%2fresourcePath&wsrp-rewrite=true.

The problem is on the browser client-side scripting (or manual editing)
may be used to rewrite this URL to point to a different resource. Is 
there anyway to prevent this?

Presumably when using consumer rewriting the consumer MAY use an 
entirely different URL scheme which replaces the resource URL with an 
id. Also, the 2.0 resource operation may be used similarly, but managed
by the producer.

Any thoughts on this?

On the other hand, URL rewriting is commonly used for RIA application 
(e.g. REST urls). Is there anyway to support both?

Nate

Notice:  This email message, together with any attachments, may contain
information  of  BEA Systems,  Inc.,  its subsidiaries
 and  affiliated entities,  that may be confidential,  proprietary,
 copyrighted  and/or legally privileged, and is intended solely
for the use of the individual or entity named in this message. If you are
not the intended recipient, and have received this message in error, please
immediately return this by email and then delete it.

This publicly archived list offers a means to provide input to the
OASIS Web Services for Remote Portlets (WSRP) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: wsrp-comment-subscribe@lists.oasis-open.org
Unsubscribe: wsrp-comment-unsubscribe@lists.oasis-open.org
List help: wsrp-comment-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/wsrp-comment/
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsrp