Return-Path: <oak-issues-return-53555-archive-asf-public=cust-asf.ponee.io@jackrabbit.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id AA8FF2004F5
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri,  1 Sep 2017 13:23:10 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id A913016B20B; Fri,  1 Sep 2017 11:23:10 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id EF44516B208
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  1 Sep 2017 13:23:09 +0200 (CEST)
Received: (qmail 83364 invoked by uid 500); 1 Sep 2017 11:23:08 -0000
Mailing-List: contact oak-issues-help@jackrabbit.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:oak-issues-help@jackrabbit.apache.org>
List-Unsubscribe: <mailto:oak-issues-unsubscribe@jackrabbit.apache.org>
List-Post: <mailto:oak-issues@jackrabbit.apache.org>
List-Id: <oak-issues.jackrabbit.apache.org>
Reply-To: oak-dev@jackrabbit.apache.org
Delivered-To: mailing list oak-issues@jackrabbit.apache.org
Received: (qmail 83353 invoked by uid 99); 1 Sep 2017 11:23:08 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Sep 2017 11:23:08 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 6AD06C1F5B
	for <oak-issues@jackrabbit.apache.org>; Fri,  1 Sep 2017 11:23:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id SNmeDLZLy5dq for <oak-issues@jackrabbit.apache.org>;
	Fri,  1 Sep 2017 11:23:07 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id A7C6861126
	for <oak-issues@jackrabbit.apache.org>; Fri,  1 Sep 2017 11:23:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 0F559E0D57
	for <oak-issues@jackrabbit.apache.org>; Fri,  1 Sep 2017 11:23:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5414224158
	for <oak-issues@jackrabbit.apache.org>; Fri,  1 Sep 2017 11:23:00 +0000 (UTC)
Date: Fri, 1 Sep 2017 11:23:00 +0000 (UTC)
From: "Ian Boston (JIRA)" <jira@apache.org>
To: oak-issues@jackrabbit.apache.org
Message-ID: <JIRA.13096993.1503486423000.7826.1504264980342@Atlassian.JIRA>
In-Reply-To: <JIRA.13096993.1503486423000@Atlassian.JIRA>
References: <JIRA.13096993.1503486423000@Atlassian.JIRA> <JIRA.13096993.1503486423623@jira-lw-us.apache.org>
Subject: [jira] [Commented] (OAK-6575) Provide a secure external URL to a
 DataStore binary.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Fri, 01 Sep 2017 11:23:10 -0000


    [ https://issues.apache.org/jira/browse/OAK-6575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16150373#comment-16150373 ] 

Ian Boston commented on OAK-6575:
---------------------------------

In which case, is the patch ok for inclusion ?
Should I do a pull request ?

> Provide a secure external URL to a DataStore binary.
> ----------------------------------------------------
>
>                 Key: OAK-6575
>                 URL: https://issues.apache.org/jira/browse/OAK-6575
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: blob, core, jcr
>            Reporter: Ian Boston
>             Fix For: 1.8
>
>
> Where the DataStore is a DataStore that may be accessed over an independent API it would be advantageous for Oak to provide a secure URL to allow direct, read only access to the current immutable instance of that binary.  The term "secure" needs to be defined, but typically it would a URL that is valid for a appropriately short length of time to ensure that the risk of the URL being used by a user that it was not intended for, is minimised. It should also ensure that anyone in possession of the URL could not use the information in the url to create a valid URL or a valid URL to a different binary.
> One example of such a URL might be a AWS Signed URL as used by AWS CloudFront to access private content. The signed url being signed by a private key known only to the Oak instance and the the CloudFront or S3 instance. The signed url having a significantly low ttl so that a redirect by the same client would work.  
> Oak should only emit these URLs to sessions that could otherwise read the binary directly from Oak, and Oak should be in complete control of the nature of the url and the security mechanisms applied to the URL.
> The viability of the approach has been investigated showing that given a JCR Binary it is possible to get the Oak Blob Content Identifier using ValueImpl.getBlob((Value)jcrBinary).getContentIentifier() and form there, knowing the way in which the DataStore implementation transforms that into a pointer into the datastore implementation form a URL to be made secure.
> To achieve the above, internal implementation details specific to the Oak DataStore implementation are required, hence this request to implement as a part of Oak rather than to reverse engineer in some external project.
> Since API changes are often significant using the Sling AdapaterFactory approach would allow a ServletFilter to selectively use the URL in a redirect, avoiding any new API methods to existing Oak APIs. A new interface might be required, in the example below that interface is SignedBinaryURL.
> {code}
> public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
>         if ( servletRequest instanceof SlingHttpServletRequest  && servletResponse instanceof SlingHttpServletResponse) {
>             if ("GET".equals(((SlingHttpServletRequest) servletRequest).getMethod())){
>                 Resource resource = ((SlingHttpServletRequest) servletRequest).getResource();
>                 SignedBinaryURL url = resource.adaptTo(SignedBinaryURL.class);
>                 if (url != null) {
>                     ((SlingHttpServletResponse) servletResponse).sendRedirect(url.getURL());
>                     return;
>                 }
>             }
>         }
>         filterChain.doFilter(servletRequest, servletResponse);
>     }
> {code}
> If the AdapterFactory to go from Binary to SingedBinaryURL is not present then url will always be null, and no-op. If it is present, and Oak decides no URL is appropriate, then no-op.
> Only if the Oak DS implementation being used supports the external URL and Oak decides it is appropriate, will a url be available and a redirect performed.
> I have used AWS S3 URLs as an example, however the approach should be applicable (and pluggable) to most REST based APIs to private binary content.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)