You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-dev@jackrabbit.apache.org by Matt Ryan <ma...@apache.org> on 2022/02/25 23:56:52 UTC
Allowing client-specified download URI TTLs (OAK-9710)
Hi,
I'd like to consider OAK-9710 and discuss whether this is a change we feel
we can accept. The concept is to allow a client to specify their own TTL
for a direct download URI, so long as that value is not greater than the
configured default value.
When direct download capability was originally added, I know we had this
discussion and at that time we decided not to add it. I believe at the
time we weren't sure if there was a use case, and the concern was that
allowing a client to specify the value could create a security concern.
I believe that restricting the custom value to be not greater than the
configured default is acceptable to address the security concern. I'm
still working on a use case and will add it to OAK-9710.
Let's please have discussion on the ticket to see if this is something we
feel we can accept.
-MR