[OTDev] A&A: precautions against pre-registering resources
Andreas Maunz andreas at maunz.deMon Jun 28 13:28:22 CEST 2010
- Previous message: [OTDev] Filtering Services deployed
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dear all, I propose to make the A&A policy webservice more secure by checking availability of resource URIs at policy upload time. This is to tackle the issue of "pre-registration", i.e., to stop an attacker from registering arbitrary "promising" resource URIs (not under his control), by enforcing that every URI in a policy is actually reachable. Being "reachable" means that the webservice at the corresponding URI reacts by returning an arbitrary return code other than "404 (not found)". If nothing speaks against that I will add the functionality within the next few days. Please tell me, if you hold a different view on the issue. Best regards Andreas
- Previous message: [OTDev] Filtering Services deployed
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list