|They are vague on what the security reason is, colon : and asterisk * are both prohibited.|
I am going to gig into it more today as we need a fix for Kintera's community authority server.
The following is a description of the problem.
I normally wouldn't recommend accommodating Microsoft's broken code.
However I don't see a downside in relaxing the rule on URI construction and make it more in line with the normal append behavior.
There may be other platforms that would prefer the root and next element as parameters rather than the path for other reasons as well.
From an authority server point of view it needs to turn them into variables anyway unless its doing something very simplistic and handing back XRDs from static files.
Lacking any reason for the rule I don't see any reason not to relax it now, so that its the authority servers option on how it wants its URI constructed.
This post describes the IIS issue:
It is possible it is an asp.net issue rather than an IIS one. Not being a windows person at all I am starting from scratch sorting this out.
On 25-Feb-08, at 7:58 AM, Chasen, Les wrote:
Out of curiosity, does IIS specify the security reasons? If so what say thee. From: John Bradley [mailto:firstname.lastname@example.org]
Sent: Monday, February 25, 2008 10:33 AM
To: Markus Sabadello
Cc: XRI TC
Subject: Re: [xri] 9.1.10 Construction of the Next Authority URI
Yes you could make the change to accept the query as parameters rather than in the path, if you want. The purpose however is to allow authority servers on platforms that have a restriction on * in the path. The only required change to openXRI would be in the next authority URI construction. OpenXRI would append to the end of the URI rather than the end of the path. On 25-Feb-08, at 5:09 AM, Markus Sabadello wrote: No problem from an OpenXRI Server point of view.
The OpenXRI Server uses a thing called "URIMapper" to extract a request (a "root namespace" and a "query") from a URI.
Right now there's a "FolderURIMapper" which expects requests like this:
In this case the "root namespace" is @mycompany, and the query is *myname.
Then there's a "SingleNamespaceURIMapper" which expects requests like this:
In this case the "root namespace" is hard-coded in the configuration file (e.g. @mycompany), and the query is *myname.
So with the change there could also be a "QueryURIMapper" for requests like this:
Again, the "root namespace" would be @mycompany, and the query would be *myname.
I spent some time today looking at this issue. My recollection was that appending directly to the path was originally specified (in XRI resolution 1.0) because the XRI Resolution 1.0 editors conceptualized XRI resolution as a series of HTTP(S) URI substitutions – which it still is.
However I can't see any reason why the Next Authority String (section 9.1.10) can't just be appended to the fully constructed Next Authority Resolution Service Endpoint URI. That would increase the flexibility of XRI authorities to control their incoming resolution requests, and to use a query parameter if that makes life easier (as it sounds like it will with this IIS bug).
Gabe, can you see any reason not to do this? Les, Wil, Steve? Or anyone else?
We need to resolve this quickly as we need to put CD03 to a vote this week in order to make our planned May vote.
From: John Bradley [mailto:email@example.com]
Sent: Sunday, February 24, 2008 1:04 PM
To: XRI TC
Cc: Gabe Wachob; Drummond Reed
Subject: [xri] 9.1.10 Construction of the Next Authority URI
Steve and I have discovered an issue with using IIS as an XRI authority server.
It turns out that Microsoft will not let you have a * in the path for "security reasons".
There is a hotfix that disables URL validation, but is not recommended.
In our wisdom we thought that we could construct URI like:
to get around the problem.
This did not work because we are not following the normal append rules for URI construction.
The problem is of corse that in 9.1.10 we are specific about only appending to the path, so we get.
Drummond and I discussed this and decided that a change to line 1460 may be appropriate.
The final step is to append the Next Authority String to the path component of the Next Authority
The final step is to append the Next Authority String to the end of the Next Authority
This would allow authority servers to accept the next subsegment as a path or parameter as they like.
We believe that this is fully backwards compatible with the current authority servers.
I understand that the time to consider this is limited, and apologize for discovering this at the last minute.
I don't see a good reason for the spec to restrict people to only use the path.