login button

Calling a written web service in mashup server externally

Submitted by AjayKamath on June 11, 2008 - 05:44. Forums :

I am Ajay. I am working on WSO2 Mash up server.

I have a doubt...Please reply

I have written a web service say XmlMerge which takes 2 input xml files say a.xml and b.xml and merges it into one output xml document (output.xml).

Code:-

this.serviceName = "XmlMerge";

this.documentation = "TODO: Add service level documentation here" ; toString.documentation = "TODO: Add operation level documentation here" ; toString.inputTypes = { /* TODO: Add input types of this operation */ }; toString.outputType = "String"; /* TODO: Add output type here */ function toString()

{

var aFile = new File("A.xml");

var a = new XML(aFile.readAll());

var bFile = new File("B.xml");

var b = new XML(bFile.readAll());

var z=b.author.firstname + " " + b.author.lastname;

a.insertChildAfter(a.author.firstname, b.author.firstname);

a.insertChildAfter(a.author.lastname, b.author.lastname);

a.insertChildAfter(a.title, b.title);

a.insertChildAfter(a.content, b.content);

var cFile=new File("output1.xml");

cFile.write(a);

return(a);

}

 

Query:-

Is it possible to call this service "XmlMerge" from an external html file which has no link with MashUp server?

Please reply

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
‹ Startup Failure on Vista localhost vs mooshup.com ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

XSS Restrictions

Submitted by Jonathan Marsh on June 12, 2008 - 03:01.

 

Calling a web service from an html page can be difficult as it often runs up against cross-site-scripting security restrictions in the browser.  So if I have a web page from http://ajay.com and am trying to call http://mooshup.com (or even https://ajay.com) using the mashup stub and WSRequest.js, the browser is often going to deny access.  Both IE and Firefox have ways to avoid this error, but only in specific circumstances, and with browser configuration or some other complex bit of work.

There are a number of solutions, the simplest being:

  1. call the web service on the server side, using web services capabilities in asp, jsp, php, perl, or whatever your server side language is.  This could be as easy as an include directive pointing to an HTTP binding for the service.  This way the browser isn't talking to the service at all, and can't complain about its domain.
  2. use a simple proxy on the ajay.com service which redirects certain urls to http://mooshup.com.  The browser then talks to a single domain.

I've been looking at script injection as a way to work around this, and hope to have some samples or features in the not-too-distant future.

»

XSS Restrictions

Submitted by tolga84k on June 16, 2008 - 23:44.

Hi Jonathan

What're the "specific circumstances" and "other complex bit of work", you mentioned above ? It would be great if you share it with us.

Thanx

»

XSS workarounds

Submitted by Jonathan Marsh on June 19, 2008 - 13:09.

The one's I'm aware of (but haven't played with all) include:

  1. IE doesn't enforce restrictions from file:// urls, so if you open a page locally, it should work fine.  This includes from within Vista Sidebar gadgets.
  2. IE can be configured to allow some traffic through from "trusted domains" which can be configured within the browser's internet options dialog.
  3. Firefox apparently will accept some requests from domains if those scripts are signed in a special way.  Not sure what the details are.
  4. Frameworks like Google Gadgets support a way to do cross-domain GET requests through a proxy.  The nightly build uses this when the stub is called from a Google Gadget (but you can't do POSTs and you have to use the asynchronous flavor).

You'll be pleased to know I'm developing a workaround that will be in the upcoming release (or at least can be added onto the upcoming release.)  It tunnels the Web Service requests through URL parameters in dynamically generated scripts.  Since it's possible to work around the cross-domain restrictions in this way, it makes me wonder why the restrictions are still in place...

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.