kmohr-soprasteria
commented
5 months ago Please refer to https://github.com/openBackhaul/ApplicationPattern/issues/941:
- ResponseReceiverPaths must not be protected by an OperationKey, they shall not contain any security statement.
- Existing specifications that have not yet been fully implemented must be corrected accordingly as part of a BugFix release.
For services like /v1/switch-redundant-transmitter-pair-off, /v1/reactivate-transmitters-of-link, /v1/provide-transmitter-status-of-parallel-links we have a callback "Response". In this callback, we send respective response to the "requestor-receive-operation" mentioned in request-body.
As per understanding, the requesting application (data of which is given in request body of the service) may be any application ( same AIPS or any external application). And we need not create any entry in load-file like http-client or operation-client for the request and we will store them in temporary RAM ((Kindly let me know if my understanding is not correct at this point)).
As per above understanding, if the request received is from a different application, we would not know the security key of the requestor-receive-operation and this might lead to unauthorized error response.
Proposal: Security could be removed for the receiving operations. For example: in AIPS :: /v1/receive-power-saving-activation-status, /v1/receive-power-saving-deactivation-status and /v1/receive-transmitter-status-of-parallel-links. Also corresponding receiving services in external applications could be avoided with security key.
Proposal because of the following constraint:
Kindly let me know your views and correct me if I am wrong.