Hi All, Currently we are working on writing a mobile application store for IOT server. For that we have decided to save the images and binary files related with applications in the file system(This decision was taken considering the file size). File location will be derived from a configuration. While implementing this, we have come-up with the following suggestions for saving files as per the meeting we had internally.
*Option 1* For each application we will have a folder with the name as the generated ID for the application from the database. Each will hold all the relevant artifacts such as icon, screen-shots and binary files. In this case, there were 2 suggestions 1. For each app, the icon and screen-shots will be saved with the same name. Ex - For icons the image file name will be 'icon' and like-wise for others as well. So in this case, we do not need to save image names in the database. 2. Need to dynamically generate some random names. If we consider first approach, if we use the same name for all the application, there is possible chance an attacker may get all the image files if the name is known to them. AFAIU this can happen even if we do not use the 1st approach and use the second approach in which we use random names, as this can happen only if the root path for saving the artifacts are compromised and without the name also attacker can do a "listFiles" request and get all the data. *Option 2* For binary files and image files we will have separate location and each respective files will be saved in these location separately by generating a unique name. This may be helpful if we can cache the images and improve the performance, but this may not be possible in real production scenarios depending on the size of the images. What would be the most preferable option? Comments and suggestions on this regard is highly appreciated. Thanks. Regards, Megala -- Megala Uthayakumar Software Engineer Mobile : 0779967122
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
