[OTDev] A&A: precautions against pre-registering resources
Nina Jeliazkova nina at acad.bgMon Jun 28 21:08:19 CEST 2010
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Andreas, Unless we invent specific query parameter/media type for the "reachability test" , this could be quite inefficient. For example, if one happens to try to GET /dataset/{id} , for a large dataset , and ignore the results , this will be a waste of resources (server, network and perhaps client's ). Regards, Nina chung wrote: > Hi Andreas, > Is it possible to allow just web services to create policies prior to > resource's actual creation? [I mean > using some token of theirs identifying them as web services and not > using other users' tokens] > If one attempts a DOS attack you can just disable the attacker's account > or if one creates policies in an > unexpectedly large frequency you can block the account for some time. It > would be more convenient if > we removed such a restriction. > > Note: This is not an objection, it would be just easier to me to go > without this restriction. > > Best regards, > Pantelis > > > On Mon, 2010-06-28 at 13:28 +0200, Andreas Maunz wrote: > > >> Dear all, >> >> I propose to make the A&A policy webservice more secure by checking >> availability of resource URIs at policy upload time. >> This is to tackle the issue of "pre-registration", i.e., to stop an >> attacker from registering arbitrary "promising" resource URIs (not under >> his control), by enforcing that every URI in a policy is actually reachable. >> Being "reachable" means that the webservice at the corresponding URI >> reacts by returning an arbitrary return code other than "404 (not found)". >> If nothing speaks against that I will add the functionality within the >> next few days. Please tell me, if you hold a different view on the issue. >> >> Best regards >> Andreas >> _______________________________________________ >> Development mailing list >> Development at opentox.org >> http://www.opentox.org/mailman/listinfo/development >> >> > > > _______________________________________________ > Development mailing list > Development at opentox.org > http://www.opentox.org/mailman/listinfo/development >
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list