[Building Sakai] Entitybroker batch servlet disabled by default
Matthew Jones
matthew at longsight.com
Tue Mar 19 06:15:11 PDT 2013
Even though /batch was useful, we didn't see anyone fixing it, so the quick
fix was to disable it. These tools should probably take care of their own
batch processing. (Having a special method to accept an XML POST or
something of all the items you want to restore/delete)
Doing batch on a POST/PUT/DELETE is easy like this. [1] Doing it on a GET
is a little harder because of the URL limit. Most discussions about this
(on the linked URL) suggest that you have your REST implemented to accept
an special action as a POST then poll the endpoint and wait for the results
as a GET if you're going to get a lot of results or it will take awhile.
PUT /api/flies {id_0, name_0, genome_0}, {id_1, name_1, genome_1}, …}
RESPONSE {requestId}
GET /api/batchRequest/requestId
RESPONSE {status}, ie. IN_PROGRESS, COMPLETE, FAILED, etc.
GET /api/batchReport/requestId
RESPONSE {report}
In either case, we don't have a central batch or background processing
service setup like this either, so currently this would need to be
implemented on a tool-by-tool basis.
[1] http://third-bit.com/blog/archives/1746.html
On Tue, Mar 19, 2013 at 4:13 AM, Daniel Merino <daniel.merino at unavarra.es>wrote:
> Hi everybody.
>
> We have noticed that Clog tool makes use of batch direct servlet to
> restore deleted posts in recycle bin, so having
> entitybroker.batch.enable=false by default in sakai.properties gives an
> error when restoring.
>
> This property was set to false by default in 2.9 (
> https://jira.sakaiproject.org/browse/SAK-22619 ), where a potential
> security hole is mentioned as reason to disable it, but no more info is
> given.
>
> Turning this property true in sakai.properties solves the issue, but I'm
> worried by this security hole.
>
> Should we disable this property and request Clog to workaround it? Or
> shoud we do something else to make it secure?
>
> Thanks in advance.
> Best regards.
> --
> Daniel Merino Echeverría
> daniel.merino at unavarra.es
> Gestor de teleformación - Centro Superior de Innovación Educativa.
> Tfno: 948-168489 - Universidad Pública de Navarra.
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130319/8c3e514a/attachment.html
More information about the sakai-dev
mailing list