Closed trurlurl closed 6 months ago
trurlurl
commented
1 year ago @sgrossberndt Could you please help with identifying what conventions the two groups violate?
Run ./docs/validate-schema-conventions.sh Validating OJP Schema conventions ... Skipping... OJP.xsd Checking... OJP_Requests.xsd [ERROR] Group could not be resolved: AlertSettingsGroup [ERROR] Group could not be resolved: TripMonitoringResponseGroup
ue71603
commented
1 year ago Cool... I will work on it on Friday...
ue71603
commented
1 year ago Malte: OK as it is done in TRIAS.
ue71603
commented
1 year ago Malte, Stefan and Norman will say how the pub/sub should work (from security).
Stefan: What does Dirk think?
Dirk: Making subscription for others (DoS attacks) might be a problem. Fixing was hard. Data broker. Discussion in SIRI necessary. Pub/Sub.
Norman: We should only do payload, if possible in OJP.
Claus: MQTT is better organised.
Dirk: Topic based architecture will be described. I tried to create rules there a based topic architecture.
Norman: How does this address the security concern? The only solution is on the transport protocol, not hear.
Claus: We stick within the SIRI with request/response. Outside pub/sub outside.
ue71603
commented
1 year ago @herlitze @skinkie @normanoffel @sgrossberndt
Possible security improvement:
The problem arises from the fact that
`
` are not controlled. So it is either a completly trusted environment between the subscriber and the server or DelegatorAddress and DelegatorRef are to compared to saved values from the authentication method (probably in an API manager or proxy). This could be done by using the id from The authentication in DelegatorRef and looking up the DelegatorAddress. Or in the API manager DelegatorAddress and DelegatorRef are supressed and replaced by the values stored there.
Also important might be RequestorRef (is mandatory). This also could be filled in by the API manager (or proxy).
Do you agree that we add something to that effect to the specification (or even the XSD).
ue71603
commented
1 year ago Malte: Werner: The TripResult only says only hey you need to send a TripInfoRequest. Matthias: We could already provide an AlternativeTrip. Malte: The intention was about triggering TripInfoRequest. TRIAS might be flawed there.
TripMonitoring: Trip is broken -> TripInformationRequests -> Think about what one gets. -> TransferLeg needs to be recalculated with TripRequest (with I am not this Vehicle and want to continue to the end)
sgrossberndt
commented
6 months ago Closing this pull request as I am going to delete the changes_for_v1.1 branch. The branch trip_monitoring should be rebased on develop and have a new pull request.
sgrossberndt
commented
6 months ago Deleted branch trip_monitoring in favor of https://github.com/VDVde/OJP/tree/feature/trip-monitoring which was rebased on develop.
PR for issue #305. First draft, to be discussed and adapted.
We need to write in the documentation, that it only works for interacting between trusting systems as denial of service attacks are possible.