You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Bertrand Delacretaz <bd...@apache.org> on 2008/03/11 11:17:40 UTC
How about a Sling http proxy extension?
Hi,
I'm playing with some Ajax stuff using Sling, and hitting the
cross-domain limitations. Having an optional built-in HTTP proxy in
Sling would be useful.
I could create a servlet under extensions/http-proxy, that uses the
httpproxy selector, handling requests like:
/foo.httpproxy.anyextension/www.somewhere.com/somepath?someParam=42
by returning the content of
http://www.somewhere.com/somepath?someParam=42 as is.
WDYT?
-Bertrand
Re: How about a Sling http proxy extension?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Mar 11, 2008 at 5:05 PM, Tobias Bocanegra
<to...@day.com> wrote:
> i have 2 questions/concerns:
> 1) why do you need cross domain scripting at all?
My use case is a simple one, getting a newsfeed to insert inside a
page served by Sling. An iframe doesn't work as I need to cleanly
handle the case where the feed is not available.
That could be solved in a different way (for example using a custom
servlet to retrieve that feed), but I thought an http proxy might be
of general use.
> 2) if you use the server as proxy you need to ensure that the server
> 'sees' the target. which might not be the case in most of the
> companies.
Of course, but that depends on how you use Sling.
-Bertrand
Re: How about a Sling http proxy extension?
Posted by Tobias Bocanegra <to...@day.com>.
i have 2 questions/concerns:
1) why do you need cross domain scripting at all?
2) if you use the server as proxy you need to ensure that the server
'sees' the target. which might not be the case in most of the
companies.
regards, toby
On 3/11/08, Bertrand Delacretaz <bd...@apache.org> wrote:
> On Tue, Mar 11, 2008 at 12:33 PM, Felix Meschberger <fm...@gmail.com> wrote:
>
> > ...We will probably anyway have two classes of modules in Sling: Those with
>
> > regular releases and those, which just sit here and may be used with
>
> > occasional releases on demand....
>
> Agreed, hence my intention to implement this under "extensions".
>
>
> -Bertrand
>
--
-----------------------------------------< tobias.bocanegra@day.com >---
Tobias Bocanegra, Day Management AG, Barfuesserplatz 6, CH - 4001 Basel
T +41 61 226 98 98, F +41 61 226 98 97
-----------------------------------------------< http://www.day.com >---
Re: How about a Sling http proxy extension?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Mar 11, 2008 at 12:33 PM, Felix Meschberger <fm...@gmail.com> wrote:
> ...We will probably anyway have two classes of modules in Sling: Those with
> regular releases and those, which just sit here and may be used with
> occasional releases on demand....
Agreed, hence my intention to implement this under "extensions".
-Bertrand
Re: How about a Sling http proxy extension?
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
Am Dienstag, den 11.03.2008, 11:44 +0100 schrieb Bertrand Delacretaz:
> On Tue, Mar 11, 2008 at 11:42 AM, Carsten Ziegeler <cz...@apache.org> wrote:
>
> > ... I share the same concerns, in addition I think this is a more general
> > feature which *might be* of interest for any web framework using ajax.
> > Atm I think we should not deal with things like these unless we really
> > need them :)...
>
> I do need it, so I'll either do it outside of Sling, or contribute it
> here so that others can use it as well.
If it is done anyways, having it in Sling is ok.
We will probably anyway have two classes of modules in Sling: Those with
regular releases and those, which just sit here and may be used with
occasional releases on demand.
Regards
Felix
Re: How about a Sling http proxy extension?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Mar 11, 2008 at 11:42 AM, Carsten Ziegeler <cz...@apache.org> wrote:
> ... I share the same concerns, in addition I think this is a more general
> feature which *might be* of interest for any web framework using ajax.
> Atm I think we should not deal with things like these unless we really
> need them :)...
I do need it, so I'll either do it outside of Sling, or contribute it
here so that others can use it as well.
So you're right, let's see if others would like to have that in Sling.
-Bertrand
Re: How about a Sling http proxy extension?
Posted by Carsten Ziegeler <cz...@apache.org>.
Felix Meschberger wrote:
> Hi,
>
> Am Dienstag, den 11.03.2008, 11:17 +0100 schrieb Bertrand Delacretaz:
>> Hi,
>>
>> I'm playing with some Ajax stuff using Sling, and hitting the
>> cross-domain limitations. Having an optional built-in HTTP proxy in
>> Sling would be useful.
>>
>> I could create a servlet under extensions/http-proxy, that uses the
>> httpproxy selector, handling requests like:
>>
>> /foo.httpproxy.anyextension/www.somewhere.com/somepath?someParam=42
>>
>> by returning the content of
>> http://www.somewhere.com/somepath?someParam=42 as is.
>>
>> WDYT?
>
> While technically certainly interesting it poses a series of problems:
>
> * The request originates from the Sling server appearing as the client
> to the server to which the request is proxied. Hence the client may
> effectively hide behind Sling
>
> * Sling may therefore be used for attacks where the root of the attack
> is hidden
>
> * We shift the cross-domain limitation from the client to the server
> and burden the server with protection against dangers.
>
> So I have some concerns about this feature.
>
I share the same concerns, in addition I think this is a more general
feature which *might be* of interest for any web framework using ajax.
Atm I think we should not deal with things like these unless we really
need them :)
Carsten
--
Carsten Ziegeler
cziegeler@apache.org
Re: How about a Sling http proxy extension?
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
Am Dienstag, den 11.03.2008, 11:43 +0100 schrieb Bertrand Delacretaz:
> On Tue, Mar 11, 2008 at 11:34 AM, Felix Meschberger <fm...@gmail.com> wrote:
>
> > ... * Sling may therefore be used for attacks where the root of the attack
> > is hidden
> >
> > * We shift the cross-domain limitation from the client to the server
> > and burden the server with protection against dangers....
>
> Agreed - we could use a configurable list of URL prefixes (like
> www.somewhere.com/somepath) to which proxy requests are allowed, and
> set a very restrictive default value that would only allow our tests
> and demos to run.
Hmm, such a configuration could be an option. Limiting the defualt is
certainly a very good thing. Though having default configuration for
tests and demoes is problematic IMHO...
>
> And maybe add a header to the proxied requests that shows that Sling
> was involved in it.
I would certainly opt for such a thing - Many proxies use the
X-Forwarded-For and Via headers for this information. I suggest that
besides of course forwarding all request headers, these two headers
should be added.
>
> I think the problem is no different than people using mod_proxy to do
> that, our responsibility is IMHO limited to make people aware of the
> issues, which could be done in the description of the above "proxy
> requests patterns" configuration property.
Agreed - and we also have to describe this for administrators to limit
the functionality or to "switch it off" altogether.
Regards
Felix
Re: How about a Sling http proxy extension?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Mar 11, 2008 at 11:34 AM, Felix Meschberger <fm...@gmail.com> wrote:
> ... * Sling may therefore be used for attacks where the root of the attack
> is hidden
>
> * We shift the cross-domain limitation from the client to the server
> and burden the server with protection against dangers....
Agreed - we could use a configurable list of URL prefixes (like
www.somewhere.com/somepath) to which proxy requests are allowed, and
set a very restrictive default value that would only allow our tests
and demos to run.
And maybe add a header to the proxied requests that shows that Sling
was involved in it.
I think the problem is no different than people using mod_proxy to do
that, our responsibility is IMHO limited to make people aware of the
issues, which could be done in the description of the above "proxy
requests patterns" configuration property.
-Bertrand
Re: How about a Sling http proxy extension?
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
Am Dienstag, den 11.03.2008, 11:17 +0100 schrieb Bertrand Delacretaz:
> Hi,
>
> I'm playing with some Ajax stuff using Sling, and hitting the
> cross-domain limitations. Having an optional built-in HTTP proxy in
> Sling would be useful.
>
> I could create a servlet under extensions/http-proxy, that uses the
> httpproxy selector, handling requests like:
>
> /foo.httpproxy.anyextension/www.somewhere.com/somepath?someParam=42
>
> by returning the content of
> http://www.somewhere.com/somepath?someParam=42 as is.
>
> WDYT?
While technically certainly interesting it poses a series of problems:
* The request originates from the Sling server appearing as the client
to the server to which the request is proxied. Hence the client may
effectively hide behind Sling
* Sling may therefore be used for attacks where the root of the attack
is hidden
* We shift the cross-domain limitation from the client to the server
and burden the server with protection against dangers.
So I have some concerns about this feature.
Just my €0.02
Regards
Felix
Re: How about a Sling http proxy extension?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Thu, Mar 13, 2008 at 12:57 PM, Lars Trieloff <la...@trieloff.net> wrote:
> ... http://svn.apache.org/repos/asf/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyServlet.java ....
Ok thanks, I'll have a look if we get to implement this.
-Bertrand
Re: How about a Sling http proxy extension?
Posted by Lars Trieloff <la...@trieloff.net>.
Hi Betrand,
http://svn.apache.org/repos/asf/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/ProxyServlet.java
should be the best starting point. Shindig provides a full
implementation of OpenSocial, so this servlet is embedded into the
rest of Shindig.
Lars
On 12.03.2008, at 14:28, Bertrand Delacretaz wrote:
> On Wed, Mar 12, 2008 at 2:14 PM, Lars Trieloff <la...@trieloff.net>
> wrote:
>
>> ... can't we just re-use the effort made by the Shindig project,
>> which
>> implements such as proxy for OpenSocial support?...
>
> Maybe, do you have a link to that code?
>
> Note that a basic http proxy is simple to implement with HttpClient,
> but why not reuse external code if it's good.
>
> Also, my suggestion doesn't seem to be met with much enthusiasm, so I
> might not do it at this time ;-)
>
> -Bertrand
--
Lars Trieloff
lars@trieloff.net
http://weblogs.goshaky.com/weblogs/lars
Re: How about a Sling http proxy extension?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Mar 12, 2008 at 2:14 PM, Lars Trieloff <la...@trieloff.net> wrote:
> ... can't we just re-use the effort made by the Shindig project, which
> implements such as proxy for OpenSocial support?...
Maybe, do you have a link to that code?
Note that a basic http proxy is simple to implement with HttpClient,
but why not reuse external code if it's good.
Also, my suggestion doesn't seem to be met with much enthusiasm, so I
might not do it at this time ;-)
-Bertrand
Re: How about a Sling http proxy extension?
Posted by Lars Trieloff <la...@trieloff.net>.
Hi Betrand,
can't we just re-use the effort made by the Shindig project, which
implements such as proxy for OpenSocial support?
regards,
Lars
On 11.03.2008, at 11:17, Bertrand Delacretaz wrote:
> Hi,
>
> I'm playing with some Ajax stuff using Sling, and hitting the
> cross-domain limitations. Having an optional built-in HTTP proxy in
> Sling would be useful.
>
> I could create a servlet under extensions/http-proxy, that uses the
> httpproxy selector, handling requests like:
>
> /foo.httpproxy.anyextension/www.somewhere.com/somepath?someParam=42
>
> by returning the content of
> http://www.somewhere.com/somepath?someParam=42 as is.
>
> WDYT?
>
> -Bertrand
--
Lars Trieloff
lars@trieloff.net
http://weblogs.goshaky.com/weblogs/lars