tag:blogger.com,1999:blog-13639021.post2038577051846365356..comments2024-03-05T04:05:47.416-08:00Comments on The Wisdom of Ganesh: Advice To Organisations Embarking On SOA Todayprasadgchttp://www.blogger.com/profile/00179696156998026173noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-13639021.post-75465789742930822822009-12-11T04:27:36.257-08:002009-12-11T04:27:36.257-08:00Ganesh,
Your blogs make for very interesting read...Ganesh,<br /><br />Your blogs make for very interesting reading.<br /><br />I have a question relating to REST, maybe out of context but will post it here for starters.<br /><br />Using REST from a SOFEA style (GWT) application would definitely require the correct use of the GET verb. In order to 'secure' an application from XSS/XSRF style attacks, the general recommendation seems to be to use a token (cookie-like) as part of every request.<br /><br />While using GET, we are going to have to attach the token on the URL itself. The path that an http request takes may be over layers of proxy servers, where in all probability the request urls will be logged and hence expose the token. Using HTTPS as the transport possibly prevents interception in between, but still leaves the token exposed at browser/web server ends. <br /><br />I was wondering what your thoughts might be on this. One can't do true REST without GET, which inherently seems unsecurable via the token-approach. Is there an alternative?<br /><br />regards,<br />-SameerSameer Nambiarhttps://www.blogger.com/profile/14720828773139520112noreply@blogger.com