Sling
  1. Sling
  2. SLING-53

Add request filter for method overwrite

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Engine
    • Labels:
      None

      Description

      To allow for method overwrite I suggest to add a request processing Filter along the lines of the Abdera MethodOverWriteFilter [1] as stipulated by Roy in [2].

      [1] http://svn.apache.org/viewvc/incubator/abdera/java/trunk/server/src/main/java/org/apache/abdera/protocol/server/servlet/MethodOverrideFilter.java?view=markup&pathrev=510085
      [2] http://www.mail-archive.com/sling-dev@incubator.apache.org/msg00355.html

        Activity

        Hide
        Felix Meschberger added a comment -

        Descheduling from the intial release. We keep this issue around and will implement it as the need arises.

        Show
        Felix Meschberger added a comment - Descheduling from the intial release. We keep this issue around and will implement it as the need arises.
        Hide
        Felix Meschberger added a comment -

        > ... X-HTTP-Method-Override ...

        Absolutely. In fact the Abdera filter also lists a X-Method-Override header. So I think, we should go with the Abdera filter (to be friendly we might ask Abdera for permission to copy).

        And I would also keep the filters separate as Lars already proposed: One filter for Method Overwriting limited to POST requests and one filter for header injection, probably unlimited.

        Show
        Felix Meschberger added a comment - > ... X-HTTP-Method-Override ... Absolutely. In fact the Abdera filter also lists a X-Method-Override header. So I think, we should go with the Abdera filter (to be friendly we might ask Abdera for permission to copy). And I would also keep the filters separate as Lars already proposed: One filter for Method Overwriting limited to POST requests and one filter for header injection, probably unlimited.
        Hide
        Lars Trieloff added a comment -

        Just a quick note: Google uses a X-HTTP-Method-Override header to specify the method. We should use the same one.

        Show
        Lars Trieloff added a comment - Just a quick note: Google uses a X-HTTP-Method-Override header to specify the method. We should use the same one.
        Hide
        Roy T. Fielding added a comment -

        This needs to be very well documented. Some companies will consider it to be a security hole
        and will need a way to turn it off (globally).

        It also must be limited to POST requests. In other words, nobody can tunnel a state-changing
        operation through GET.

        Show
        Roy T. Fielding added a comment - This needs to be very well documented. Some companies will consider it to be a security hole and will need a way to turn it off (globally). It also must be limited to POST requests. In other words, nobody can tunnel a state-changing operation through GET.
        Hide
        Bertrand Delacretaz added a comment -

        With ujax: I meant only the type of pattern for special parameters, I agree that this has nothing to do with µjax in particular.

        +1 to accepting the mindquarry filters as a donation, the easiest way might for someone who has the rights on that to upload it here.

        Show
        Bertrand Delacretaz added a comment - With ujax: I meant only the type of pattern for special parameters, I agree that this has nothing to do with µjax in particular. +1 to accepting the mindquarry filters as a donation, the easiest way might for someone who has the rights on that to upload it here.
        Show
        Lars Trieloff added a comment - Mindquarry could donate the implementation of this particular filter, if there is interest. It has been in use for some months now and is quite solid code. http://www.mindquarry.org/repos/mindquarry-collaboration-server/trunk/mindquarry-webapp/mindquarry-webapp-servlet/src/main/java/com/mindquarry/webapp/servlet/HttpHeaderSpoofingFilter.java http://www.mindquarry.org/repos/mindquarry-collaboration-server/trunk/mindquarry-webapp/mindquarry-webapp-servlet/src/main/java/com/mindquarry/webapp/servlet/HttpHeaderSpoofingRequestWrapper.java we would change copyright and license accordingly.
        Hide
        Felix Meschberger added a comment -

        > Note that we're already using ujax: as a prefix for request parameters interpreted by µjax, the pattern for the first filter should be similar.

        I think, it is better to keep this detached from the ujax use case, as this problem is not restricted to ujax but to other applications using forms and intending to use other methods. Therefore, I like the idea of Lars [1] more: This can be even be generalized to "generate" any header for http-(.*)-header parameters.

        [1] http://www.mail-archive.com/sling-dev@incubator.apache.org/msg01413.html

        Show
        Felix Meschberger added a comment - > Note that we're already using ujax: as a prefix for request parameters interpreted by µjax, the pattern for the first filter should be similar. I think, it is better to keep this detached from the ujax use case, as this problem is not restricted to ujax but to other applications using forms and intending to use other methods. Therefore, I like the idea of Lars [1] more: This can be even be generalized to "generate" any header for http-(.*)-header parameters. [1] http://www.mail-archive.com/sling-dev@incubator.apache.org/msg01413.html
        Hide
        Bertrand Delacretaz added a comment -

        On sling-dev, Lars suggests using two filters:

        First ServletFilter changes Request-Parameters with a certain naming pattern into request headers. This overcomes the disability of web
        browsers to set headers programatically.

        Second ServletFilter uses a header like X-HTTP-Method to override the HTTP method.

        Note that we're already using ujax: as a prefix for request parameters interpreted by µjax, the pattern for the first filter should be similar.

        Show
        Bertrand Delacretaz added a comment - On sling-dev, Lars suggests using two filters: First ServletFilter changes Request-Parameters with a certain naming pattern into request headers. This overcomes the disability of web browsers to set headers programatically. Second ServletFilter uses a header like X-HTTP-Method to override the HTTP method. Note that we're already using ujax: as a prefix for request parameters interpreted by µjax, the pattern for the first filter should be similar.

          People

          • Assignee:
            Unassigned
            Reporter:
            Felix Meschberger
          • Votes:
            2 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development