incubator-jena-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Seaborne (Commented) (JIRA)" <>
Subject [jira] [Commented] (JENA-218) Fuseki should allow timeouts to be specified on a per-request basis
Date Fri, 09 Mar 2012 10:52:58 GMT


Andy Seaborne commented on JENA-218:

This would be great.  

I'd like to see at least ?timeout= form for pragmatic reasons. This makes it similar to other
systems.  It's much easier to set in the client where access to setting the HTTP headers can
be tricky (e.g. when using a library for HTTP calls, not going raw to or Apache httpClient).
 When writing a call, whether scripting or java, it's easier to do everything in the query
string but a sem-standard is also 

Having header and query parameter is possible - it's not either/or.

The DoS issue is a serious one, I think.  From just looking at usage (e.g. DBPedia), people
override the timeout as the first "solution" to a query timing out when the query is just
inherently expensive and missing the timeout by a long way.  As a usage is public-facing data
serving is one use for Fuseki, armour-plating the timeout mechanism is required.

A complicated scheme is to have a second timeout associated with the dataset that is the maximum
allowable settings.  If absent, any normal timeout set should be the maximum allowed.  Setting
the max setting very high (or, better, a special value) would be the same as letting the client
take full control.  Absence, or setting the same as the normal timeout is, in effect, no override
as you can only set it shorter but a special value for "not allowed" would make for a better
error message like "You can't do that".
> Fuseki should allow timeouts to be specified on a per-request basis
> -------------------------------------------------------------------
>                 Key: JENA-218
>                 URL:
>             Project: Apache Jena
>          Issue Type: Improvement
>          Components: Fuseki
>    Affects Versions: Fuseki 0.2.1
>            Reporter: Alexander Dutton
>              Labels: needsdocumentation, timeout
> A query endpoint might want to have different timeouts depending on whether queries are
from untrusted or trusted users, or maintenance processes. The timeout could be passed with
an X- header, a Timeout header as per,
or a query parameter, respecting the system default if none is provided. The query parameter
might be less favourable as it'd be harder to filter out for Fuseki instances behind Apache.
> There is a risk that changing the behaviour to allow timeouts to be overridden will lead
to DoSs of query endpoints open to the world to some extent. This can be mitigated by defaulting
to disallowing timeout overrides.
> I'm happy to put a patch together and document it at

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message