- Issue created by @fishfree
- Status changed to Postponed: needs info
2 months ago 6:52am 10 September 2024 - 🇷🇴Romania claudiu.cristea Arad 🇷🇴
I don't think I get your concern. Could you, please, add more context describe a scenario in which the insecurity might be revealed?
- 🇨🇳China fishfree
@claudiu Thank you! Because there is no authentication mechanism in rdf_sync configuration form. Rdf_sync need write to Virtuoso, so If I run Virtuoso on 0.0.0.0, then other user can also write to Virtuoso without additional protection.
- Status changed to Active
2 months ago 7:05am 12 September 2024 - 🇷🇴Romania claudiu.cristea Arad 🇷🇴
The configuration defaults to the /sparql endpoint which normally is only protected by the network (e.g., allows access only from the webserver). Some servers are allowing also to expose this publicly in read/only mode.
Indeed, we should implement authentication for endpoints such as /sparql-auth or others. But I have no idea how generis is this to backends other than Virtuoso.
For now it's an open discussion
-
claudiu.cristea →
committed 68db65f0 on 1.x
Issue #3472936: Implement endpoint authentication
-
claudiu.cristea →
committed 68db65f0 on 1.x
- 🇷🇴Romania claudiu.cristea Arad 🇷🇴
This change only opens the door to implement Virtuoso authentication (Digest, OAuth, etc). It also introduce the concept of connector as plugins. That means, we can add more connectors (as new plugins) in the future (Fuseky, etc). Or any 3rd-party Drupal module can add their own connector plugins.
For authentication on Virtuoso there should be a new ticket but I don't see when I'll have time to work on that. Having this MR merged, it opens the door for community to implement it.