[geeklog-devel] Webservices: Logins and speedlimit
tony at tonybibbs.com
Wed Jan 2 13:29:27 EST 2008
Did you already add a security group for Atompub? My assumption is that the Web Service implementation isn't meant for non-admins. If that is right the admins will need the admin privilege they need (link, story, etc) and be given explicit privilege to use the Atom client. I like this because a) nobody can really use the Atompub without explicit approval which, to me, seems acceptable and b) if you have this privilege you can have a separate speed limit.
----- Original Message ----
From: Dirk Haun <dirk at haun-online.de>
To: geeklog-devel <geeklog-devel at lists.geeklog.net>
Sent: Wednesday, January 2, 2008 11:22:27 AM
Subject: [geeklog-devel] Webservices: Logins and speedlimit
I'm struggling a bit with the logins and the speedlimit for the
webservices here. Let me explain ...
Every Atompub client that I've seen so far tries to do things first
without logging in. So even when you give them the proper login
credentials - they don't use them until the server says "Authentication
I'm not sure where this behavior is coming from (I don't see it in the
RFC), but I guess if they're all doing it, we will have to live with
So an Atompub client does a request for, say, all the stories on the
site. Let's assume I'm a (Story) Admin, using an Atompub client. I want
to be able to see stories that haven't been published yet (aka drafts)
or those that are only visible to certain users. But since the client
will do the request without logging in first, it will only get a list
the public stories.
That's not what I want and so I think we should simply require a login
for any action via the webservices / Atompub.
So far, so good. Now, of course, the client will send every request
twice: Request list of stories, "Authentication required", send request
again with login credentials. And of course those will both count
against the login speedlimit. And the next request (whatever that may
- let's say to change the story) will do the same thing and again count
A human may already run into the speedlimit easily, but automated
clients (like appfs or the APE) will certainly run into it. So it looks
like our standard approach for speedlimits doesn't work here.
I've come up with the following, somewhat inelegant (IMHO), solution:
- An Atompub request without any login credentials will count as one
failed login attempt.
- An Atompub request with the wrong login credentials will count as
two(!) failed login attempts.
- If the login succeeds and we have only one failed attempt on record,
the speedlimit is reset.
This was done because:
- Resetting the speedlimit after every successful login could be used
for dictionary attacks (try one, login to reset, try another, ...).
- Some Atompub clients (e.g. the APE), when used without any login
credentials, will try over and over and over again. So those need to
into the speedlimit eventually.
I don't like it too much, but it works. Anyone have a better idea?
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
More information about the geeklog-devel