You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chemistry.apache.org by Florent Guillaume <fg...@nuxeo.com> on 2010/11/22 19:41:41 UTC
Re: AD2 and checkout
It wouldn't really work but it's not working today anyway, we return
an error when external content is passed in an entry. That would
change to silently ignoring it for a checkout.
In the case of AD2 it's the AD2 client that's lazy and just reuses the
full Atom entry it retrieved with a GET to then do the checkout.
Consider this a workaround for broken clients, that does not penalize
non-broken ones :)
Florent
On Mon, Nov 22, 2010 at 4:35 PM, Florian Müller
<fl...@alfresco.com> wrote:
> If we remove the exception, a document would be created without content.
> Wouldn't that be confusing? It wouldn't really "work".
>
> - Florian
>
> On 22/11/2010 15:32, Florent Guillaume wrote:
>>
>> I understand the security implications in implementing this and I
>> agree it shouldn't be done at least by default.
>> My question was more along the lines of: is it ok if I remove the
>> thrown exception so that OpenCMIS-based servers can work with AD2?
>>
>> Florent
>>
>>
>> On Mon, Nov 22, 2010 at 3:44 PM, Florian Müller
>> <fl...@alfresco.com> wrote:
>>>
>>> Hi Florent,
>>>
>>> I intentionally didn't implement that features because there are too many
>>> difficult questions.
>>> What basically happens here is that the CMIS repository connects to a
>>> HTTP server to get the content.
>>>
>>> - In many enterprise environments that's not possible because of
>>> firewalls. The server can't talk to an arbitrary host for security reasons.
>>>
>>> - If the content is hosted on a client machine, it is even more unlikely
>>> since desktop firewalls will prevent that.
>>>
>>> - Should the CMIS repository forward the given credentials to the HTTP
>>> server? Hell, no, that would be a security hole. But, yes, it has to
>>> authenticate in order to get access to the content...
>>>
>>> - If we forward the credentials, we really, really should use HTTPS. Do
>>> we accept self-signed certificates? Probably not. Does the HTTP server
>>> running on a users laptop has a real certificate installed? Probably not.
>>>
>>> - What if the credentials for the CMIS repository and the HTTP server are
>>> different? A very likely scenario...
>>>
>>> - What if the credentials are not user/password based and we can't
>>> forward them because we don't know them?
>>>
>>>
>>> I don't know how to provide a generic external content implementation,
>>> but I'm open for ideas...
>>>
>>>
>>> - Florian
>>>
>>>
>>> On 22/11/2010 10:44, Florent Guillaume wrote:
>>>>
>>>> Hi,
>>>>
>>>> Adobe Drive 2 does the following when you request a checkout:
>>>>
>>>> POST /.../repo/checkedout
>>>> Content-Type: application/atom+xml;type=entry
>>>>
>>>> <atom:entry xmlns:atom="http://www.w3.org/2005/Atom">
>>>> ...
>>>> <atom:content
>>>>
>>>> src="http://localhost.../.../repo/content?id=5f8a7a2e-6175-4111-84a3-f70e2d83702e"
>>>> type="image/jpeg" />
>>>> <cmisra:object
>>>> xmlns:cmisra="http://docs.oasis-open.org/ns/cmis/restatom/200908/">
>>>> ...
>>>> </cmisra:object>
>>>> ...
>>>> </atom:entry>
>>>>
>>>> In particular it provides a content src (the one from the entry
>>>> itself), which OpenCMIS doesn't like:
>>>> HTTP/1.1 405 Method Not Allowed
>>>>
>>>> This is due to code in AtomEntryParser.parseAtomContent:
>>>> } else if (ATTR_SRC.equals(attrName.getLocalPart())) {
>>>> throw new CmisNotSupportedException("External content
>>>> not supported!");
>>>> }
>>>>
>>>> I'm not sure this is the right thing to do here, can we just ignore
>>>> this external content?
>>>>
>>>> Florent
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
--
Florent Guillaume, Director of R&D, Nuxeo
Open Source, Java EE based, Enterprise Content Management (ECM)
http://www.nuxeo.com http://www.nuxeo.org +33 1 40 33 79 87