You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Srinath Perera (JIRA)" <ji...@apache.org> on 2010/12/21 17:07:02 UTC

[jira] Resolved: (AXIS2-1376) Use of ReplyTo in session mechanism considered harmful

     [ https://issues.apache.org/jira/browse/AXIS2-1376?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Srinath Perera resolved AXIS2-1376.
-----------------------------------

    Resolution: Won't Fix

I agree with David, "That said, I'm not sure that inventing something totally separate from WS-Addressing is necessary or particularly useful."

There has been no interest on this for a long time. If this is needed, please discuss this in axis-dev and bring it back. 

> Use of ReplyTo in session mechanism considered harmful
> ------------------------------------------------------
>
>                 Key: AXIS2-1376
>                 URL: https://issues.apache.org/jira/browse/AXIS2-1376
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel
>    Affects Versions: 1.1
>            Reporter: Glen Daniels
>            Assignee: Glen Daniels
>            Priority: Critical
>
> The Axis2 session mechanism currently works by sending back a <wsa:ReplyTo> header on the RESPONSE of a request/response exchange.  The EPR inside contains a reference parameter which is the session ID (really the service group ID).  Two problems with this, both regarding interoperability and cleanliness:
> 1) We're sending the anonymous URI as the address in the EPR - this could be very confusing to others, since it usually means the backchannel (i.e. the HTTP response for req/resp) and in this case we intend it to mean "the same address you used to get to me last time".
> 2) We shouldn't be using <ReplyTo> for this purpose.  In order for this to work, the client receiving the EPR in the response needs to understand what it means and what to do with it (store the RefP "cookie" and send it back next time).  ReplyTo has a clear semantic in getting responses to work in the context of req/resp, but it's meaning when received ON a response is not specified anywhere.  As such this is a custom usage which will not interoperate with anyone else unless they choose to do the same semantic.  That being the case, I would much rather have a custom <NewEPR> or <RedirectTo> header which we can define clear and crisp semantics for, instead of overloading an existing one in new ways.
> My proposal is to introduce <NewEPR> or <RedirectTo>, use that instead for sending session cookies, and to use a real URI instead of anonymous.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org