It wouldn't really work but it's not working today anyway, we return an error when external content is passed in an entry. That would change to silently ignoring it for a checkout.
In the case of AD2 it's the AD2 client that's lazy and just reuses the full Atom entry it retrieved with a GET to then do the checkout. Consider this a workaround for broken clients, that does not penalize non-broken ones :) Florent On Mon, Nov 22, 2010 at 4:35 PM, Florian Müller <[email protected]> wrote: > If we remove the exception, a document would be created without content. > Wouldn't that be confusing? It wouldn't really "work". > > - Florian > > On 22/11/2010 15:32, Florent Guillaume wrote: >> >> I understand the security implications in implementing this and I >> agree it shouldn't be done at least by default. >> My question was more along the lines of: is it ok if I remove the >> thrown exception so that OpenCMIS-based servers can work with AD2? >> >> Florent >> >> >> On Mon, Nov 22, 2010 at 3:44 PM, Florian Müller >> <[email protected]> wrote: >>> >>> Hi Florent, >>> >>> I intentionally didn't implement that features because there are too many >>> difficult questions. >>> What basically happens here is that the CMIS repository connects to a >>> HTTP server to get the content. >>> >>> - In many enterprise environments that's not possible because of >>> firewalls. The server can't talk to an arbitrary host for security reasons. >>> >>> - If the content is hosted on a client machine, it is even more unlikely >>> since desktop firewalls will prevent that. >>> >>> - Should the CMIS repository forward the given credentials to the HTTP >>> server? Hell, no, that would be a security hole. But, yes, it has to >>> authenticate in order to get access to the content... >>> >>> - If we forward the credentials, we really, really should use HTTPS. Do >>> we accept self-signed certificates? Probably not. Does the HTTP server >>> running on a users laptop has a real certificate installed? Probably not. >>> >>> - What if the credentials for the CMIS repository and the HTTP server are >>> different? A very likely scenario... >>> >>> - What if the credentials are not user/password based and we can't >>> forward them because we don't know them? >>> >>> >>> I don't know how to provide a generic external content implementation, >>> but I'm open for ideas... >>> >>> >>> - Florian >>> >>> >>> On 22/11/2010 10:44, Florent Guillaume wrote: >>>> >>>> Hi, >>>> >>>> Adobe Drive 2 does the following when you request a checkout: >>>> >>>> POST /.../repo/checkedout >>>> Content-Type: application/atom+xml;type=entry >>>> >>>> <atom:entry xmlns:atom="http://www.w3.org/2005/Atom";> >>>> ... >>>> <atom:content >>>> >>>> src="http://localhost.../.../repo/content?id=5f8a7a2e-6175-4111-84a3-f70e2d83702e"; >>>> type="image/jpeg" /> >>>> <cmisra:object >>>> xmlns:cmisra="http://docs.oasis-open.org/ns/cmis/restatom/200908/";> >>>> ... >>>> </cmisra:object> >>>> ... >>>> </atom:entry> >>>> >>>> In particular it provides a content src (the one from the entry >>>> itself), which OpenCMIS doesn't like: >>>> HTTP/1.1 405 Method Not Allowed >>>> >>>> This is due to code in AtomEntryParser.parseAtomContent: >>>> } else if (ATTR_SRC.equals(attrName.getLocalPart())) { >>>> throw new CmisNotSupportedException("External content >>>> not supported!"); >>>> } >>>> >>>> I'm not sure this is the right thing to do here, can we just ignore >>>> this external content? >>>> >>>> Florent >>>> >>>> >>>> >>> >>> >> >> >> > > -- Florent Guillaume, Director of R&D, Nuxeo Open Source, Java EE based, Enterprise Content Management (ECM) http://www.nuxeo.com http://www.nuxeo.org +33 1 40 33 79 87
