You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-dev@jackrabbit.apache.org by Matt Ryan <ma...@apache.org> on 2022/02/25 23:56:52 UTC

Allowing client-specified download URI TTLs (OAK-9710)

Hi,

I'd like to consider OAK-9710 and discuss whether this is a change we feel
we can accept.  The concept is to allow a client to specify their own TTL
for a direct download URI, so long as that value is not greater than the
configured default value.

When direct download capability was originally added, I know we had this
discussion and at that time we decided not to add it.  I believe at the
time we weren't sure if there was a use case, and the concern was that
allowing a client to specify the value could create a security concern.

I believe that restricting the custom value to be not greater than the
configured default is acceptable to address the security concern.  I'm
still working on a use case and will add it to OAK-9710.

Let's please have discussion on the ticket to see if this is something we
feel we can accept.


-MR