[Building Sakai] EntityBroker IP Filtering
Noah Botimer
botimer at umich.edu
Tue Aug 4 12:54:19 PDT 2009
I have to say that I would pursue a key/shared secret model and some
config/persistence other than a property. This is the kind of thing
that is nice to be able to change without redeployment or restarts.
You might still use IP filtering if your admins are worried about
network layer stuff but I personally like cryptographic models. OAuth
has emerged as a pretty elegant, understood approach, and the two-
legged model deals with administrative approval between services
(rather than the three-legged variety that prompts users).
It probably doesn't fit your timeline, but I would be interested in
thinking about a bit of infrastructure at the EB level for OAuth
support. There are places where more granular options would be really
helpful.
Thanks,
-Noah
On Aug 4, 2009, at 2:24 PM, Holladay, Bryan Andrew wrote:
> Ok... Thanks a lot Aaron!
>
>
> On 8/4/09 2:19 PM, "Aaron Zeckoski" <aaronz at vt.edu> wrote:
>
> Seems reasonable enough to me though I am not really sure how
> trustworthy that information is (I assume it is safe but I am not
> sure). I guess if you assume you can trust the incoming data then it
> should be ok.
>
> Some of the more security minded admin folks might have suggestions
> re: securing server to server communications. You could always lock
> down a chunk of the URL space if you have apache or a load balancer in
> front of the system. You can be sure that every URL coming in will be
> something with a prefix like /direct/yourthing...... so you could set
> up a rule maybe.
>
> -AZ
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20090804/96e0a303/attachment.html
More information about the sakai-dev
mailing list