On Nov 10, 2008, at 11:07 PM, Robertson, Jeff wrote:
> It's occured to me that dealing with CSRF in JAX-RS (and elsewhere)
> would be simpler if we had a little bit more of that "hypermedia as
> the engine of application state".
>
> In HTML, some part of the framework or other infrastructure (such as
> a WAF) can insert a nonce into every form, transparently to the
> application code.
>
> <form action="foo" method="POST">
> <input type="text" name="bar">
> <input type="submit" >
> <!-- added by framework -->
> <input type="hidden" name="__nonce"
> value="jhgajhdgu2q324234ghjg22">
> </form>
>
> The developer of the "foo" resource doesn't have to think about it
> any more than he has to think about something like basic
> authentication.
>
> If our webservices used of form tags or the equivalent in order to
> give hints to the client about what actions are possible, then we
> can get this kind of protection for free.
>
> It's funny.. I've been a doubter about the idea that RESTful web
> services needed to be "constrained" to hypertext; obviously
> hypertext is good for the human web, but for the programmable web it
> seems kind of optional; something you'd use just to prevent Roy
> Fielding from scolding you on his blog. Now a concrete benefit has
> formed clearly in my mind. Wow.
>
:-)
I reckon that utilizing XHTML snippets for machine-based processing
(rather than browser-based processing) can make sense in conjunction
with micro-formats that sprinkle a bit of meta-data. XHTML already
contains a list-based structure which is IMHO a reasonable way to
represent a list of anything.
Now, if only HTML forms could support more than GET/POST and also
utilize URI templates so that the form can describe how to construct a
URI path in addition to query parameters. I am sure it would be easy
to hack together some ad-hoc support for this type of thing using a
Firefox extension.
Paul.
>
> From: Craig.McClanahan_at_Sun.COM [mailto:Craig.McClanahan_at_Sun.COM]
> Sent: Monday, November 10, 2008 4:48 PM
> To: users_at_jersey.dev.java.net
> Subject: Re: [Jersey] Web applications using XMLHttpRequest and JAX-
> RS REST/JSON Web Services
>
> Eduardo Pérez Ureta wrote:
>>
>> Like Josh:
>> http://joshdevins.blogspot.com/2008/10/jax-rs-woes-continue.html
>> I would like to send a text/plain response with a message when I
>> output a 401 Unauthorized response. Is there a way to do that with
>> JAX-RS ?
>>
> Set up your resource method to return Response, and then something
> like this should work:
>
> @GET
> @Path("{id}")
> public Response findCustomer(@PathParam("{id}") String id) {
> if (!userIsAuthorized(...)) {
> return Response.status(401).type("text/
> plain").entity("This is my error message").build();
> }
> Customer customer = ...
> return Response.ok(customer).build();
> }
>
>> Craig McClanahan wrote:
>>
>>> Are there particular aspects of CSRF that you are concerned about?
>>>
>> No, I just wanted to know if there is a defacto standard way to do
>> that using JAX-RS
>>
>>
> I don't know of anything that specifically relates to JAX-RS in this
> regard.
>
> Craig
>> Eduardo
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
>> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>>
>>
>