[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wsrp] Re: Q about resource usage with http post
Agreed. It's SOAP vs REST, and for REST it definitely makes sense to filter on HTTP methods. This, however, provides even more reason for the Consumer to not change the method requested by the user-agent. In the short term, if the consumer would carry forward the same HTTP methods as requested by the user-agent, we can at least implement reliable proxied behavior for our Selective Page Refresh (as reminder, we use DHTML to update the page based on commands returned by the server, without refreshing the page). The new getResource proposal may simplify this, although there may be issue with requiring the user-agent to sign-up with a web-service; I have to study this a little more. In the long-term, however, using resources for this purpose is more a cludge than a solution. I would hope for better integration with dynamic clients (DTHML/Applets, etc). DHTML/Applets can not - in general - be rerendered by just caching and reapplying the markup, because of internal state kept at the client. Also, as long as we're talking about web-browsers, many of the consumers tasks could actually be carried out directly in the user-agent (such as content aggregation, state-management, and portlet communication). This could be integrated in a client side JavaScript API... I know some will *shudder* at the mentioning of the J-Word now. I come from a Java/C++ server side school aswell, but I have since learned to appreciate the value of JavaScript and offloading selected logic into the user-agent. -- Lars "Conroy, Scott" <Scott.Conroy@constel To: lars_hofhansl@peoplesoft.com, andre.kramer@eu.citrix.com lation.com> cc: "Rich Thompson" <richt2@us.ibm.com>, wsrp@lists.oasis-open.org Subject: RE: [wsrp] Re: Q about resource usage with http post 11/05/2004 09:04 AM I tend to disagree about blocking/allowing Gets/Posts. Layer 4+ devices and web servers are more frequently blocking specific HTTP verbs. Designing apps in a way that all GETs are reads, all POSTS are updates, PUTS are inserts, and DELETES are deletes is becoming an architectural best practice (though it remains uncommon so far). I have a few apps that are designed in this way. I do agree with your point about erroring out rather than converting the verb. ~Scott -----Original Message----- From: lars_hofhansl@peoplesoft.com [mailto:lars_hofhansl@peoplesoft.com] Sent: Friday, September 24, 2004 1:22 PM To: andre.kramer@eu.citrix.com Cc: 'Rich Thompson'; wsrp@lists.oasis-open.org Subject: RE: [wsrp] Re: Q about resource usage with http post Hi Andre, I think if the user-agent requests a POST and the POST for some reason cannot be tunneled through a firewall, the operation should just fail (same as it would without the presence of a consumer/portlet). I think it is an error for the consumer to instead issue a GET request (which is what we see when testing with WSRP4J). There're also security issues: A user-agent's POST that is proxied as a GET by a consumer may expose information that would have been visible otherwise, especially when using SSL. Also, personally, I would be surprised if there were potential firewall issues specifically with POST requests for two reasons: 1. A POST is not inheritly different from a GET, both are a basically a stream of bytes sent via HTTP. POSTs are encoded differently, but that is it. 2. It would not make sense, IMHO, for a firewall to filter POSTs but not GETs (assuming you have a layer 4 firewall that does protocol introspection to begin with). Both can be used to transmit information through a firewall in just the same way. A firewall may choose to block port 80 to all or some some internal hosts, but that would involve both POSTs and GETs. Thanks. -- Lars "Andre Kramer" <andre.kramer@eu. To: "'Rich Thompson'" <richt2@us.ibm.com>, wsrp@lists.oasis-open.org citrix.com> cc: (bcc: Lars Hofhansl/PeopleSoft) Subject: RE: [wsrp] Re: Q about resource usage with http post 09/24/2004 12:50 AM One reason that consumer proxying using the same HTTP verb is not mandated is that some firewall policies may not allow egress of POSTs. Resource URLs are just a best effort way to tunnel through (i.e. subvert) firewalls and we are looking to add a "getResource" operation for 2.0 so that all consumer / producer traffic can be over SOAP and I had wondered about whether input data is required for this use case. Regards, Andre From: Rich Thompson [mailto:richt2@us.ibm.com] Sent: 23 September 2004 20:20 To: wsrp@lists.oasis-open.org Subject: Re: [wsrp] Re: Q about resource usage with http post As I read your first paragraph, I also went to using the concept of resources as the right way to accomplish what you need (i.e. the updated fragment is a resource from the Consumer's point of view). Is there a particular reason the information you want to transfer has to be via http post rather than get? This sounds a lot like some of the things I did in a previous research project, but we used http get for all the transfers. Rich lars_hofhansl@peoplesoft.com 09/23/2004 02:35 PM To wsrp@lists.oasis-open.org cc Subject [wsrp] Re: Q about resource usage with http post In our case we are implementing a mechanims for "selective page refresh" using DHTML. I.e. we have to completely bypass the Portlet Interaction model. There seems to be no specific provision for this in the WSRP Spec (V1). For example performBlockingAction() either has to return the complete markup or it has to be followed by getMarkup(), we can't just return some change information and partially update a portlet. (I realize that when multiple portlets are displayed by a Consumer and one of the portlets needs to be re-rendered that the Consumer may re-render all portlet, which breaks our selective refresh paradigm for that case.) For these reasons we're trying to POST to resourceURL in order to handle our data exchange, then update the representation using DHTML based on the exchanged information without triggering any (Consumer visible) refreshes in the Consumer. Now, the V1 WSRP spec in 10.2.1.1.3.1 says that the cosumer is "encouraged to use the same communication style (e.g. HTTP Get or POST)" that was used by the user-agent. That does not seem to mandate that behavior and thus we cannot assume that all Consumers will indeed behave that way. Thanks. -- Lars Rich Thompson wrote: I don't know of cases where people have used http post in this manner, but the spec anticipates that such cases may exist and allows the markup to specify use of post with the requirement that the Consumer then also use post when passing the request on to the resource url. This keeps the Consumer truly acting as a proxy for these resources. Rich ricky_frost@peoplesoft.com 09/21/2004 05:36 PM To wsrp@lists.oasis-open.org cc Subject [wsrp] Q about resource usage with http post Is HTTP post supported for resource operations according to the spec? My reading of it points to an ambiguous statement to that effect on pg 62, section 10.2.1.1.3.1 Thanks To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgrou p.php . To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgrou p.php . To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgrou p.php. >>> The information contained in this e-mail transmission is privileged and/or confidential intended solely for the exclusive use of the individual addressee. If you are not the intended addressee you are hereby notified that any retention, disclosure or other use is strictly prohibited. If you have received this notification in error, please immediately contact the sender and delete the material.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]