> Actually, it's not that bad from security point of view, because the REST
> framework will handle the extensions itself and adding an extension is
> merely a configuration issue.
> 
> But you are at the mercy of the framework, and here I understand these
> differ. The Ruby framework as explained in Christoph's email works via URI
> rewriting, while Restlet works via "tunneling", i.e. rerouting the request
> to the proper code, rather than rewriting the URI.  Thus in Restlet we end
> in the proper code to handle the request, but with the original URI . And if
> we want to check if the URI is authorized by the OpenSSO server, we have to
> do the extension removing ourselves :(
> 

Please don't get me wrong: I see the extension variant purely as a
convenience method for GET requests of text oriented clients and html
links (there is no point in using them in POST requests). If it is too
hard to implement them in a safe way in one of the frameworks I would
rather use a more inconvenient method than to risk that extensions end
up as resource URIs (or to spend too much efforts to make it work).

Maybe we can work for some time with the current implementations and
choose another solution if we run into troubles.

Best regards,
Christoph