You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Andy Seaborne (Commented) (JIRA)" <ji...@apache.org> on 2012/03/09 11:52:58 UTC
[jira] [Commented] (JENA-218) Fuseki should allow timeouts to be
specified on a per-request basis
[ https://issues.apache.org/jira/browse/JENA-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13226000#comment-13226000 ]
Andy Seaborne commented on JENA-218:
------------------------------------
This would be great.
I'd like to see at least ?timeout= form for pragmatic reasons. This makes it similar to other systems. It's much easier to set in the client where access to setting the HTTP headers can be tricky (e.g. when using a library for HTTP calls, not going raw to java.net or Apache httpClient). When writing a call, whether scripting or java, it's easier to do everything in the query string but a sem-standard is also
Having header and query parameter is possible - it's not either/or.
The DoS issue is a serious one, I think. From just looking at usage (e.g. DBPedia), people override the timeout as the first "solution" to a query timing out when the query is just inherently expensive and missing the timeout by a long way. As a usage is public-facing data serving is one use for Fuseki, armour-plating the timeout mechanism is required.
A complicated scheme is to have a second timeout associated with the dataset that is the maximum allowable settings. If absent, any normal timeout set should be the maximum allowed. Setting the max setting very high (or, better, a special value) would be the same as letting the client take full control. Absence, or setting the same as the normal timeout is, in effect, no override as you can only set it shorter but a special value for "not allowed" would make for a better error message like "You can't do that".
> Fuseki should allow timeouts to be specified on a per-request basis
> -------------------------------------------------------------------
>
> Key: JENA-218
> URL: https://issues.apache.org/jira/browse/JENA-218
> Project: Apache Jena
> Issue Type: Improvement
> Components: Fuseki
> Affects Versions: Fuseki 0.2.1
> Reporter: Alexander Dutton
> Labels: needsdocumentation, timeout
>
> A query endpoint might want to have different timeouts depending on whether queries are from untrusted or trusted users, or maintenance processes. The timeout could be passed with an X- header, a Timeout header as per http://tools.ietf.org/html/draft-loreto-http-timeout-00, or a query parameter, respecting the system default if none is provided. The query parameter might be less favourable as it'd be harder to filter out for Fuseki instances behind Apache.
> There is a risk that changing the behaviour to allow timeouts to be overridden will lead to DoSs of query endpoints open to the world to some extent. This can be mitigated by defaulting to disallowing timeout overrides.
> I'm happy to put a patch together and document it at http://incubator.apache.org/jena/documentation/serving_data/.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira