Protostub Loader - Githubissues

reTHINK-project / specs

You'll find here the full detailed specification of reTHINK Framework

Apache License 2.0

3 stars 3 forks source link

Protostub Loader #20

Open pchainho opened 7 years ago

pchainho commented 7 years ago

As discussed last week in Lisbon, there is the need to develop a component to support the usage of protofly mechanisms outside the Hyperty Runtime, for example:

at Message Node, to support dynamic selection and instantiation of protostubs between different MNs. enabling NNI but still without having to standardise NNI protocols
at Global Discovery, to interact with Domain Registry without having to standardise the Domain Registry interface
in general it enables any system that is not an Hyperty Runtime ( including non-Javascript components eg Java services) to interact with reTHINK framework.

sdruesedow commented 7 years ago

As also mentioned in this issue I got doubts about this component. It allows anybody to load stubs from any domain and to send any kind of message to the MN without any authorization. I'm not a security expert, but this sounds "risky" to me.

pchainho commented 7 years ago

As commented on Slack, any App using the protostub loader, including the discovery service, should be able to add the required tokens to a message body and the MN Policy Engine should be able to block messages without valid token.

I would propose that the MN + Policy Engine uses the same Access Control solution as the one discussed here. The main difference is that the token being used would be associated to the discovery service and not to the hyperty runtime.

sdruesedow commented 7 years ago

Could someone provide an example of a token (or for the process to obtain such a token) as well as a corresponding policy for the MN?