OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wsrp-comment] Security question/concern on resource URLs

I don't think there is an issue with resource URIs being REST based. There is an issue with the concepts of a REST API to the resource as the Consumer is allowed to make choices regarding how the URI is both rewritten (i.e. parameterization might not be available in the browser) and even whether or not it is modifiable (e.g. a private CRC scheme might be used to validate no one has 'tampered' with the URI). We have begun discussions about a client-side library, but those were tabled pending a larger community approach (announcement to be made separately). This is a related issue we thought the TC should handle even if some other group does the client-side library. Namely; how does the portlet indicate this URI represents a REST API and therefore will be modified by client-side code?


From: Nathan E Lipke <nlipke@bea.com>
To: wsrp-comment@lists.oasis-open.org
Date: 10/22/2007 11:53 AM
Subject: [wsrp-comment] Security question/concern on resource URLs

When using producer url rewriting (templates) and using 1.0 style
resource proxying, the producer fills in the resource template and
replaces the {wsrp-url} with the absolute URL to the resource. This is
rendered and sent to the browser, creating a URL like

The problem is on the browser client-side scripting (or manual editing)
may be used to rewrite this URL to point to a different resource. Is
there anyway to prevent this?

Presumably when using consumer rewriting the consumer MAY use an
entirely different URL scheme which replaces the resource URL with an
id. Also, the 2.0 resource operation may be used similarly, but managed
by the producer.

Any thoughts on this?

On the other hand, URL rewriting is commonly used for RIA application
(e.g. REST urls). Is there anyway to support both?


Notice:  This email message, together with any attachments, may contain information  of  BEA Systems,  Inc.,  its subsidiaries  and  affiliated entities,  that may be confidential,  proprietary,  copyrighted  and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.

This publicly archived list offers a means to provide input to the
OASIS Web Services for Remote Portlets (WSRP) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: wsrp-comment-subscribe@lists.oasis-open.org
Unsubscribe: wsrp-comment-unsubscribe@lists.oasis-open.org
List help: wsrp-comment-help@lists.oasis-open.org
List archive:
Feedback License:
List Guidelines:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]