RE: Protocol should determine "confidentiality" of Request

Wed, 22 Oct 2008 00:39:06 -0700 

Hi Kevin,
 
In my mind, the "confidential" property shouldn't determine the connector
used. This is the role of the Request#getProtocol() method. We might
eventually want to check that (and log a warning if necessary), if the user
sets the "confidential" property manually, it will be consistent with the
protocol eventually used to send the request.
 
Also, in the com.noelios.restlet.component.ComponentClientDispatcher class,
there is this related block of code:
@Override
protected void doHandle(Request request, Response response) {
    super.doHandle(request, response);
    final Protocol protocol = request.getProtocol();

    if (protocol.equals(Protocol.RIAP)) {
        // Consider that the request is confidential
        request.setConfidential(true);

    ...

We could generalize this logic by adding a "confidential" property on the
Protocol class itself and then do this:
 
    super.doHandle(request, response);
    final Protocol protocol = request.getProtocol();
   request.setConfidential(protocol.isConfidential);

    if (protocol.equals(Protocol.RIAP)) {

    ...

That would make sure that the requests going through a secure client
connector (RIAP, HTTPS, SMTPS, etc.) get properly marked as confidential. We
might even want to move the "confidential" property from Request to the
parent Message class because if the request is secure, then the response
will be as well.
 
Best regards,
Jérôme Louvel
--
Restlet ~ Founder and Lead developer ~  <http://www.restlet.org/>
http://www.restlet.org
Noelios Technologies ~ Co-founder ~  <http://www.noelios.com/>
http://www.noelios.com
 


  _____  

De : Kevin Conaway [mailto:[EMAIL PROTECTED] 
Envoyé : mardi 21 octobre 2008 23:16
À : [email protected]
Objet : Re: Protocol should determine "confidentiality" of Request


In Restlet-619, I added SSL support to the StreamClientHelper.  The
StreamClientHelper now looks at request.isConfidential() before deciding to
use a plain Socket or an SSL Socket


On Tue, Oct 21, 2008 at 9:10 AM, Rob Heittman <[EMAIL PROTECTED]>
wrote:


Not disagreeing -- makes sense -- but just curious, how/when do you use this
on the Client side?  The Server side sets this if the request has come in
via https: or riap:, and that's where I usually need to interrogate it. 

On Tue, Oct 21, 2008 at 8:56 AM, Kevin Conaway <[EMAIL PROTECTED]>
wrote:


When making a Client call, I think it would be helpful to set the
"confidential" attribute on the Request for the user based on the Protocol.
I.e., if I'm using the HTTPS protocol, I shouldn't have to remember to set
the confidential attribute to true on every Request.  I'm not where the best
place to make that decision is though

Is there a situation where you would be using HTTPS or a similar secure
protocol but the Request would not be confidential?

Thanks,

Kevin

Reply via email to