SIF Functional Services Security - if one consumer gets hold of the job ID of another it can use that without any issues

Access4Learning / sif3-framework-dotnet

SIF 3.0 Developer Framework for .NET

Apache License 2.0

14 stars 19 forks source link

SIF Functional Services Security - if one consumer gets hold of the job ID of another it can use that without any issues #24

Open kunalyadavdfe opened 7 years ago

kunalyadavdfe commented 7 years ago

"Security": SIF Functional Services Security - if one consumer gets hold of the job ID of another it can use that without any issues Currently there is no link between Environment registered to a consumer and the jobs created by a consumer. Potentially if the job ID is known then any consumer can use that job ID irrespective of whether they created the job in the first place or not

iantasker commented 7 years ago

@kunalyadavdfe Currently Job ID is locked to an Application Key. Another consumer would need to know both the Job ID and the associated Application Key.

If you want to increase the lock between Consumer and a Job the Job Provider can be extended to use a concatenation of SolutionId,ApplicationKey,Instance and UserId (if present) and the reference key.

This concatenation has been addressed in SIF Infrastructure Specification 3.2.1 which the inclusion of fingerprint.