0

We create web project with RestFull+OAuth.

Its looks good - client sent token for each request in header Authorize. But for some request we can`t add header. For example when we print some image or document. Because we use window.open - at our disposal only GET params.

At now i see one way - for that request add token to UPL as get params(?token=xxxxxxx) and not show url line in child browser window.

But i think its not good way. Maybe somebody have other idea or practicals of implement it.

St_5
  • 303
  • 3
  • 12

1 Answers1

0

putting token in URL is not good way as it will be public in network and any one sniffing on your network will get the token, I think you have to make revers proxy on your server to get the file you want by after checking session attribute to be sure you are authorized for that.

Bassem Reda Zohdy
  • 12,662
  • 3
  • 33
  • 39
  • Yes, i agree with you, but we not use session for RestFull – St_5 Jan 16 '14 at 13:18
  • Or you propose sent to server request with token in header - response some other temp token. And with him(temp token) get file? – St_5 Jan 16 '14 at 13:20
  • the session part is for the revers proxy only not for RESTFul as the revers proxy may have no OAuth filters to access it easy with window.open – Bassem Reda Zohdy Jan 16 '14 at 13:23
  • also I prefer to use Ajax solution instead of window.open and use dialog, then you can control the header in your request. – Bassem Reda Zohdy Jan 16 '14 at 13:25
  • Year, i like use only Ajax request too. But i create only server part. Maybe you can told me is possible get file content and throw it in browser for download or print(browser print page) file at help ajax. (Because my front end developer say it not possibility, but i not sure that he have good research ) – St_5 Jan 16 '14 at 14:10
  • ajax can not download files as security constrains but you can generate html page to print it, also consider using revers proxy to a servlet or page to be responsible only for downloading files, and to be sync with the main session of the user, or using short time generated token. – Bassem Reda Zohdy Jan 17 '14 at 11:24