[OTDev] A&A: precautions against pre-registering resources
Nina Jeliazkova nina at acad.bgMon Jun 28 21:08:19 CEST 2010
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Andreas,
Unless we invent specific query parameter/media type for the
"reachability test" , this could be quite inefficient. For example, if
one happens to try to GET /dataset/{id} , for a large dataset , and
ignore the results , this will be a waste of resources (server, network
and perhaps client's ).
Regards,
Nina
chung wrote:
> Hi Andreas,
> Is it possible to allow just web services to create policies prior to
> resource's actual creation? [I mean
> using some token of theirs identifying them as web services and not
> using other users' tokens]
> If one attempts a DOS attack you can just disable the attacker's account
> or if one creates policies in an
> unexpectedly large frequency you can block the account for some time. It
> would be more convenient if
> we removed such a restriction.
>
> Note: This is not an objection, it would be just easier to me to go
> without this restriction.
>
> Best regards,
> Pantelis
>
>
> On Mon, 2010-06-28 at 13:28 +0200, Andreas Maunz wrote:
>
>
>> Dear all,
>>
>> I propose to make the A&A policy webservice more secure by checking
>> availability of resource URIs at policy upload time.
>> This is to tackle the issue of "pre-registration", i.e., to stop an
>> attacker from registering arbitrary "promising" resource URIs (not under
>> his control), by enforcing that every URI in a policy is actually reachable.
>> Being "reachable" means that the webservice at the corresponding URI
>> reacts by returning an arbitrary return code other than "404 (not found)".
>> If nothing speaks against that I will add the functionality within the
>> next few days. Please tell me, if you hold a different view on the issue.
>>
>> Best regards
>> Andreas
>> _______________________________________________
>> Development mailing list
>> Development at opentox.org
>> http://www.opentox.org/mailman/listinfo/development
>>
>>
>
>
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list