DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=34391>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34391 ------- Additional Comments From [EMAIL PROTECTED] 2005-04-20 09:17 ------- Roland, Thx for the illustration - perhaps I should provide a little bit more background on the paypal IPN: IMHO, this is a quite nice protocol to easily have a web-application learn whether a payment has been successfully executed at a third-party payment provider such as PayPal. There are two threads or activity, one user-based, one among servers: I) user-based ------------- 1) browsing user on a web-app decides to pay 2) web-app redirects (with some unique parameters) user to paypal where s/he pays 3) paypal returns the browsing user to the web-app (possibly without loosing the pre-existing jsession) II) among servers ----------------- 4) in the course of 2), paypal validates the payment; if they deem the payment as valid, they perform a http post to the web-app to a URL as specified as parameter by the web-app in 2) (no clue whether they use http-client for this or not - I hope they do) to notify about the successful payment 5) Since everybody could try to fake that post, the web-app has to take the notification information it receives and post its content back to a Paypal standard URL and will receive a VERIFIED or not in response from Paypal. Under the assumption that dns/ip routing coming from my web-app to paypal is not subverted, this ensures that it's really paypal who issues the verdict. Almost - paypal apparently doesn't bother with confidentiality and integrity in this case by default. So, this sample shows how to add confidentiality and some degree of authentication of paypal's verdict-responder (not talking about (OCSP-)revocation, ...) without creating side-effects regarding the trust-store JVM-wide on the side of my web-app. And here, far from "foreign browsers", HttpClient appears to me the most elegant way to do it. So, the example is only useful if it can do both, i.e. taking in the notification from paypal as a "server" and re-posting it back to paypal as a "client" - the focus of the provided example is obviously on the latter. Hope this helps -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
