[openroad-developer] New OpenROAD HTTP Gatekeeper

Durwin Wright Durwin.Wright at ingres.com
Tue May 6 07:20:31 PDT 2008 

Great Bodo,

 

The possibility of collecting statistics by SCP is an idea that I
mentioned to Kim last year.  Sandy has been experimenting with
generating these statistics using a WebSPO prototype.  The idea is that
it is very cheap to collect these stats since the Gatekeeper has to peek
inside the message anyway.

 

I did not expect that you would implement this in your gatekeeper.  I
will take a look in detail at you changes.  I would proceed with an
integration plan.  I will need to make the changes to incorporate this
into the build process.  This can be done after you have gotten approval
and submitted your changes.  

 

I will need to make similar types of changes to the .NET Gatekeeper.  My
hope is to implement Basic Authentication and Windows Integrated
Authentication in the ASP.NET version.  Does Tomcat support Windows
Integrated Authentication?

 

Durwin Wright | Sr. Architect | Durwin.Wright at ingres.com
<mailto:Durwin.Wright at ingres.com>  | Ingres | 500 Arguello Street |
Suite 200 | Redwood City | CA | 94063 | USA
<http://maps.google.com/maps?q=500+arguello+street,+94063&ll=37.487297,-
122.233200&spn=0.004602,0.012771&t=k&hl=en>   +1 650-587-5523 | fax: +1
650-587-5550 

________________________________

From: Bodo Bergmann 
Sent: Tuesday, May 06, 2008 6:18 AM
To: Durwin Wright
Cc: 'openroad-developer at lists.ingres.com'
Subject: RE: New OpenROAD HTTP Gatekeeper

 

With respect to the security concerns you mentioned I extended the
source (attached)

by re-introducing the "permittedSCPs" parameter (init-param) in web.xml
(as in SRS.java), which is now optional.

If not set or if it has the value * , then calls to all SCPs are
permitted,

otherwise only calls to the SCPs listed in its param-value.

 

For performance statistics: Yes, you could do this in the Gatekeeper -
absolutely right.

I just didn't implement them, as they would only be collected for HTTP
access, not for DCOM access

and the Tomcat admin interface already gives some statistics on the
calls to the servlet (though they are not broken down on individual
calls).

There is definitly much more possible, but I just wanted to keep it
simple and didn't want to create a feature-bloated monster :)

 

Bodo.

 

________________________________

From: Durwin Wright 
Sent: Monday, May 05, 2008 6:26 PM
To: openroad-developer at lists.ingres.com
Cc: Joseph C. Kronk; Roger L. Whitcomb; David Tondreau; Durwin Wright;
Bodo Bergmann
Subject: New OpenROAD HTTP Gatekeeper

DCOM has the same problem.  If everyone feels comfortable with this fact
and considering that we have just open source the 4GL (so everyone will
know every possible SCP that can be called in CORE.PLB) then it is okay
with me.

 

BTW, one possible thing that could be done with a gatekeeper is to
implement the collection of performance statistics (Call4GL, Initiates,
etc) at the SCP level since the Gatekeeper has the ability to peek
inside the HTTP Serial Message.

 

Durwin Wright | Sr. Architect | Durwin.Wright at ingres.com
<mailto:Durwin.Wright at ingres.com>  | Ingres | 500 Arguello Street |
Suite 200 | Redwood City | CA | 94063 | USA
<http://maps.google.com/maps?q=500+arguello+street,+94063&ll=37.487297,-
122.233200&spn=0.004602,0.012771&t=k&hl=en>   +1 650-587-5523 | fax: +1
650-587-5550 

________________________________

From: Bodo Bergmann 
Sent: Monday, May 05, 2008 9:21 AM
To: Durwin Wright
Cc: Joseph C. Kronk; Roger L. Whitcomb; David Tondreau
Subject: RE: New OpenROAD HTTP Gatekeeper

 

You mean, as it is included in the permitted application, any of its 4GL
procedures can be called.

 

But don't we have the same problem when using DCOM?

Remember - most security attacks are coming from the inside anyway.

 

________________________________

From: Durwin Wright 
Sent: Monday, May 05, 2008 6:15 PM
To: Bodo Bergmann
Cc: Joseph C. Kronk; Roger L. Whitcomb; David Tondreau; Durwin Wright
Subject: RE: New OpenROAD HTTP Gatekeeper

You can call anything in CORE.PLB.

 

Durwin Wright | Sr. Architect | Durwin.Wright at ingres.com
<mailto:Durwin.Wright at ingres.com>  | Ingres | 500 Arguello Street |
Suite 200 | Redwood City | CA | 94063 | USA
<http://maps.google.com/maps?q=500+arguello+street,+94063&ll=37.487297,-
122.233200&spn=0.004602,0.012771&t=k&hl=en>   +1 650-587-5523 | fax: +1
650-587-5550 

________________________________

From: Bodo Bergmann 
Sent: Monday, May 05, 2008 8:54 AM
To: Durwin Wright; 'openroad-developer at lists.ingres.com'
Cc: Joseph C. Kronk; Roger L. Whitcomb; David Tondreau
Subject: RE: New OpenROAD HTTP Gatekeeper

 

Durwin,

 

if the access is limited to one distinct appllication (AkaName), i.e.
using the OpenROAD_ServerApp parameter in the web.xml,

then there shouldn't be a way to call SCPs defined in other images.

Or do I miss something here ?

 

What do you mean with "Could the new Gatekeeper be written as a pure
Java Servlet with no references to any pre-compiled java classes?"

 

It has to use the "com.ca.openroad.SerialRemoteServer" class (provided
in the openroad.jar archive).

 

A servlet in Tomcat is a combination of web.xml file and one or more
class files - that's what I provided.

The goal is also to not even require a Java SDK on the machine - a JRE
should be enough to run Tomcat,

so even an "autocompile" feature for *.java sources would not help.

 

Bodo.

 

________________________________

From: Durwin Wright 
Sent: Monday, May 05, 2008 5:09 PM
To: openroad-developer at lists.ingres.com
Cc: Joseph C. Kronk; Roger L. Whitcomb; Bodo Bergmann; David Tondreau
Subject: RE: New OpenROAD HTTP Gatekeeper

The Serial Remote Server (SRS or Gatekeeper) has several purposes:

 

*         HTTP Access to the COM Remote Server class

*         Authentication of requestor 

*         Authorization of access to SCPs

 

The latter is the main reason why this is called the Gatekeeper.  There
is nothing that will prevent an OpenROAD Client application from
invoking any SCP that is defined in CORE.PLB.  The idea of the SRS was
to only allow the screening of SCPs invoked by OpenROAD Clients.  The
reason why this was deemed important was that it was envisioned that
this would provide Internet Access to the OpenROAD Server.  If there
were not limits on which SCP could be access then the OpenROAD Server
could be exposed to a DNOS attack.

 

I really would like to see the SRS be replaced.  I understand that
another goal is to provide an out-of-the-box solution that does not
require any compiling of Java code.  

 

Could the new Gatekeeper be written as a pure Java Servlet with no
references to any pre-compiled java classes?

 

Durwin Wright | Sr. Architect | Durwin.Wright at ingres.com
<mailto:Durwin.Wright at ingres.com>  | Ingres | 500 Arguello Street |
Suite 200 | Redwood City | CA | 94063 | USA
<http://maps.google.com/maps?q=500+arguello+street,+94063&ll=37.487297,-
122.233200&spn=0.004602,0.012771&t=k&hl=en>   +1 650-587-5523 | fax: +1
650-587-5550 

________________________________

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ingres.com/pipermail/openroad-developer/attachments/20080506/22bb2128/attachment-0001.html

More information about the openroad-developer mailing list