Can anyone provide a clear explanation of when to use nullChannel() vs. when to use get() when configuring a SI Flow with the DSL ?
The nullChannel() is a shortcut of the .channel(“nullChannel”).get(). But it still has that logical purpose to give a clue for target developer that this is the end of the flow and we can’t continue processing after nullChannel since this channel cannot be subscribed for consuming messages sent to it.
If your confuse is why would one specify a nullChannel if there probably would be enough just have that get(), then the answer is: it is possible and a valid use-case when you rely on the replyChannel header to produce the result from your endpoint. But if you fully want to void that result, the nullChannel must be configured explicitly.
Related
So we were starting a new project from scratch and one of the developers suggested why have any GET API requests as POST API's are better in every which way. (At least when using a mobile client)
On further looking into this it does seem POST can do everything GET can do and it can do it better -
slightly more secure as parameters are not in URL
larger limit than GET request
So is there even a single reason to have a GET API ? (This will only be used from a mobile client so browser specific cacheing doesn't affect us)
Is there ever a need to have GET request API as POST is better in every way?
In general, yes. In your specific circumstances -- maybe no.
GET and POST are method tokens.
The request method token is the primary source of request semantics
They are a form of meta data included in the http request so that general purpose components can be aware of the request semantics and contribute constructively.
POST is, in a sense, the wildcard method - it can mean anything. But one of the consequences of this is - because the method has unconstrained semantics, general purpose components can't do anything useful other than pass the request along.
GET, however, has safe semantics (which includes idempotent semantics). Because the request is idempotent, general purpose components know that they can resend a GET request when the server returns no response (ie messages being lost on unreliable transport); general purpose components can know that representations of the resource can be pre-fetched, reducing perceived latency.
You dismissed caching as a concern earlier, but you may want to rethink that - the cache constraint is an important element that helped the web take over the world.
Reducing everything to POST reduces HTTP from an application for transferring documents over a network to dumb transport.
Using HTTP for transport isn't necessarily wrong: Simple Object Access Protocol (SOAP) works that way, as does gRPC. You still get authorization, and conditional requests; features of HTTP that you might otherwise need to roll your own.
You aren't doing REST at that point, but that's OK; not everybody has to.
That doesn’t mean that I think everyone should design their own systems according to the REST architectural style. REST is intended for long-lived network-based applications that span multiple organizations. If you don’t see a need for the constraints, then don’t use them. (Fielding, 2008)
I want to introduce effective logging with in my Spring Integration implementation. I already have global wire-tap which logs the payload and headers. However we have lots service activators which has lots of business logic. I want to log important information like user id, request id in every log. We are using SLF4J. The spring integration flow has number of thread pool executors which are managed by Spring integration.
Should I go for AOP where before every method call, I retrieve the userid and request id from message headers and set it in SLF4J MDC? and then clear it once the method execution is over. It would have clearing logic in finally block. Is this a right approach or this would create performance bottle neck? Not sure why this has not been discussed much as in multithreaded SI flow, it would become very difficult to debug logs without user information.
If there is a better approach, please suggest.
See the SecurityContextPropagationChannelInterceptor introduced in 4.2.
Notice that it is a subclass of ThreadStatePropagationChannelInterceptor.
You could use a similar technique to propagate/clean up the MDC when a message is passed off to another thread. It would be less overhead than doing it on every call made by that thread.
Notice how the information to be propagated is wrapped in a lightweight message wrapper, along with the message. You could also store the information in message headers.
If you come up with a generic implementation, consider contributing it to the framework.
I was going thru RFC 4474 and noticed that it has some trouble in dealing with authentication in REGISTER and CANCEL message.
Has anyone went thru RFC 4474 and noticed why REGISTER and CANCEL message cannot be authenticated by the method suggested by RFC 4474?
RFC 4474 says, pp. 16.
Note, in the table above, that this mechanism does not protect the
CANCEL method. The CANCEL method cannot be challenged, because it is
hop-by-hop, and accordingly authentication service behavior for CANCEL
would be significantly limited. Note as well that the REGISTER method
uses Contact header fields in very unusual ways that complicate its
applicability to this mechanism, and the use of Identity with REGISTER
is consequently a subject for future study, although it is left as
optional here for forward-compatibility reasons. The Identity and
Identity-Info header MUST NOT appear in CANCEL.
CANCEL message unauthenticated can only be a threat for a certain duration after the REGISTER message has been sent and before ACK arrives. So it might be less of a threat.
but REGISTER message unauthenticated can cause potential problem, as RFC states that REGISTER uses contact headers in unusual ways, as far as i know, it just has the FROM and TO headers same. But why is this causing problem in implementing this technique to it?
Any help would be appreciated.
You are not reading the RFC correctly. There's no message called REQUEST. I am guessing that you are referring to the INVITE transaction. To make a long answer short, the CANCEL is more or less a copy of the INVITE transaction it is cancelling. When doing MD5 challenge/response authentication we use two different transactions, and thus if we authenticated the CANCEL it would no longer be a copy of the INVITE because you had another CSEQ.
I recommend you read through the basics in RFC 3261 to understand more of this.
/O
I have a SOA which makes heavy use of nonces (i.e, one-time one-use security tokens).
My app takes a nonce from a client, verifies it, then sends a new nonce back to said client as part of every reply. Also included in each reply are the results of business logic operations that executed right after the nonce was authenticated.
The nonce verification and generation are operationally coupled with the business logic, since both occur in response to every client request. However I don't want the two to be coupled in code. What's the right way to partition them in accordance with SOA principles? Is it too much to break the security and business logic into two separate services, with one calling the other as part of each reply to each client request?
Yes it makes sense to separate them. But I don't think they should have awareness of each other at all (Call each other directly).
I'll dive into a specific example and technology of how something similar is implemented.
In the web frame work Struts2 all incoming requests pass through a stack of operations(called interceptors) before arriving at a user defined object (called an action). The action then will access the business tier.
When submitting a web form there is the issue of double submission. So one way to protect against this is with a token that is sent along with the form submission. So we need to create a unique token place it as a hidden field, and then when we receive the request only process it if the token is good. This prevent users from doing something like accidentally buying something more than once.
In Struts2 there is a special server side token tag which creates the hidden field for us. So there is something that needs to be done for each form. The token interceptor if active will enforce that this value always exists and is good when receiving the form and will redirect responses that do not somewhere else.
The idea of implementing a nonces interceptor/filter that checks that the incoming nonce value is good and for responses adds the correct nonces value to the response should be completely independent of the business logic.
The example here is with html forms but adding an interceptor(or whatever you call "that which handles cross cutting concerns at the request/response level" for your appropriate technology) which adds such a value to json or xml messages should be pretty easy and likely produce the most elegant result.
The following is a link to struts2 interceptor reference (it might clarify the idea better):
http://struts.apache.org/2.2.1.1/docs/interceptors.html
The following two links are both interceptors which manage tokens:
http://struts.apache.org/2.2.1.1/docs/token-interceptor.html
http://struts.apache.org/2.2.1.1/docs/token-session-interceptor.html
I expect only the first few paragraphs of each link will be useful but something like it for your technology should be nice.
I think what you outlined above would be in keeping with SOA principles. You're keeping two distinct sets of operations separated - once service has the business logic, the other has the security logic.
This would be especially true if you have (or the potential of having) other services that would rely on nonces.
I have been doing a bit of research on this and think it's possible, but just wanted some confirmation from those in the know :-)
My requirement is to change the XML string in a SIP message body which is coming from a PBX server (closed source) and going to a particular type of handset. Problem is that the handset doesn't like the format of the XML, so I need to change it between the PBX and the phone.
I started out looking at changing things at the network layer, but quickly came to the conclusion that this would be extremely difficult (and my C/C++ is not that up to date), so I then turned my attention to SIP proxies, of which there are several really good open source ones.
But, before I head down this track, which may benefit others if possible, I wanted to ask, is this type of SIP message body manipulation even possible?
Thanks in advance for any responses :-)
From a standards perspective, proxies are allowed to modify the messages they pass between user agents.
What you will need to do next, is find one that is programmable and allows you to modify the messages in a way that you see fit.
One option is a Back-to-Back User Agent, or B2BUA. The PBX calls your B2BUA which alters the message body appropriately before calling your handset (and in the reverse direction, of course).
(This might not be so trivial if you're using S/MIME to encrypt message bodies!)