[openroad-developer] New OpenROAD HTTP Gatekeeper

Durwin Wright Durwin.Wright at ingres.com
Mon May 5 09:26:20 PDT 2008 

DCOM has the same problem.  If everyone feels comfortable with this fact
and considering that we have just open source the 4GL (so everyone will
know every possible SCP that can be called in CORE.PLB) then it is okay
with me.

 

BTW, one possible thing that could be done with a gatekeeper is to
implement the collection of performance statistics (Call4GL, Initiates,
etc) at the SCP level since the Gatekeeper has the ability to peek
inside the HTTP Serial Message.

 

Durwin Wright | Sr. Architect | Durwin.Wright at ingres.com
<mailto:Durwin.Wright at ingres.com>  | Ingres | 500 Arguello Street |
Suite 200 | Redwood City | CA | 94063 | USA
<http://maps.google.com/maps?q=500+arguello+street,+94063&ll=37.487297,-
122.233200&spn=0.004602,0.012771&t=k&hl=en>   +1 650-587-5523 | fax: +1
650-587-5550 

________________________________

From: Bodo Bergmann 
Sent: Monday, May 05, 2008 9:21 AM
To: Durwin Wright
Cc: Joseph C. Kronk; Roger L. Whitcomb; David Tondreau
Subject: RE: New OpenROAD HTTP Gatekeeper

 

You mean, as it is included in the permitted application, any of its 4GL
procedures can be called.

 

But don't we have the same problem when using DCOM?

Remember - most security attacks are coming from the inside anyway.

 

________________________________

From: Durwin Wright 
Sent: Monday, May 05, 2008 6:15 PM
To: Bodo Bergmann
Cc: Joseph C. Kronk; Roger L. Whitcomb; David Tondreau; Durwin Wright
Subject: RE: New OpenROAD HTTP Gatekeeper

You can call anything in CORE.PLB.

 

Durwin Wright | Sr. Architect | Durwin.Wright at ingres.com
<mailto:Durwin.Wright at ingres.com>  | Ingres | 500 Arguello Street |
Suite 200 | Redwood City | CA | 94063 | USA
<http://maps.google.com/maps?q=500+arguello+street,+94063&ll=37.487297,-
122.233200&spn=0.004602,0.012771&t=k&hl=en>   +1 650-587-5523 | fax: +1
650-587-5550 

________________________________

From: Bodo Bergmann 
Sent: Monday, May 05, 2008 8:54 AM
To: Durwin Wright; 'openroad-developer at lists.ingres.com'
Cc: Joseph C. Kronk; Roger L. Whitcomb; David Tondreau
Subject: RE: New OpenROAD HTTP Gatekeeper

 

Durwin,

 

if the access is limited to one distinct appllication (AkaName), i.e.
using the OpenROAD_ServerApp parameter in the web.xml,

then there shouldn't be a way to call SCPs defined in other images.

Or do I miss something here ?

 

What do you mean with "Could the new Gatekeeper be written as a pure
Java Servlet with no references to any pre-compiled java classes?"

 

It has to use the "com.ca.openroad.SerialRemoteServer" class (provided
in the openroad.jar archive).

 

A servlet in Tomcat is a combination of web.xml file and one or more
class files - that's what I provided.

The goal is also to not even require a Java SDK on the machine - a JRE
should be enough to run Tomcat,

so even an "autocompile" feature for *.java sources would not help.

 

Bodo.

 

________________________________

From: Durwin Wright 
Sent: Monday, May 05, 2008 5:09 PM
To: openroad-developer at lists.ingres.com
Cc: Joseph C. Kronk; Roger L. Whitcomb; Bodo Bergmann; David Tondreau
Subject: RE: New OpenROAD HTTP Gatekeeper

The Serial Remote Server (SRS or Gatekeeper) has several purposes:

 

*         HTTP Access to the COM Remote Server class

*         Authentication of requestor 

*         Authorization of access to SCPs

 

The latter is the main reason why this is called the Gatekeeper.  There
is nothing that will prevent an OpenROAD Client application from
invoking any SCP that is defined in CORE.PLB.  The idea of the SRS was
to only allow the screening of SCPs invoked by OpenROAD Clients.  The
reason why this was deemed important was that it was envisioned that
this would provide Internet Access to the OpenROAD Server.  If there
were not limits on which SCP could be access then the OpenROAD Server
could be exposed to a DNOS attack.

 

I really would like to see the SRS be replaced.  I understand that
another goal is to provide an out-of-the-box solution that does not
require any compiling of Java code.  

 

Could the new Gatekeeper be written as a pure Java Servlet with no
references to any pre-compiled java classes?

 

Durwin Wright | Sr. Architect | Durwin.Wright at ingres.com
<mailto:Durwin.Wright at ingres.com>  | Ingres | 500 Arguello Street |
Suite 200 | Redwood City | CA | 94063 | USA
<http://maps.google.com/maps?q=500+arguello+street,+94063&ll=37.487297,-
122.233200&spn=0.004602,0.012771&t=k&hl=en>   +1 650-587-5523 | fax: +1
650-587-5550 

________________________________

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ingres.com/pipermail/openroad-developer/attachments/20080505/c1d56883/attachment.html

More information about the openroad-developer mailing list