[
https://issues.apache.org/jira/browse/JENA-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13226000#comment-13226000
]
Andy Seaborne commented on JENA-218:
------------------------------------
This would be great.
I'd like to see at least ?timeout= form for pragmatic reasons. This makes it
similar to other systems. It's much easier to set in the client where access
to setting the HTTP headers can be tricky (e.g. when using a library for HTTP
calls, not going raw to java.net or Apache httpClient). When writing a call,
whether scripting or java, it's easier to do everything in the query string but
a sem-standard is also
Having header and query parameter is possible - it's not either/or.
The DoS issue is a serious one, I think. From just looking at usage (e.g.
DBPedia), people override the timeout as the first "solution" to a query timing
out when the query is just inherently expensive and missing the timeout by a
long way. As a usage is public-facing data serving is one use for Fuseki,
armour-plating the timeout mechanism is required.
A complicated scheme is to have a second timeout associated with the dataset
that is the maximum allowable settings. If absent, any normal timeout set
should be the maximum allowed. Setting the max setting very high (or, better,
a special value) would be the same as letting the client take full control.
Absence, or setting the same as the normal timeout is, in effect, no override
as you can only set it shorter but a special value for "not allowed" would make
for a better error message like "You can't do that".
> Fuseki should allow timeouts to be specified on a per-request basis
> -------------------------------------------------------------------
>
> Key: JENA-218
> URL: https://issues.apache.org/jira/browse/JENA-218
> Project: Apache Jena
> Issue Type: Improvement
> Components: Fuseki
> Affects Versions: Fuseki 0.2.1
> Reporter: Alexander Dutton
> Labels: needsdocumentation, timeout
>
> A query endpoint might want to have different timeouts depending on whether
> queries are from untrusted or trusted users, or maintenance processes. The
> timeout could be passed with an X- header, a Timeout header as per
> http://tools.ietf.org/html/draft-loreto-http-timeout-00, or a query
> parameter, respecting the system default if none is provided. The query
> parameter might be less favourable as it'd be harder to filter out for Fuseki
> instances behind Apache.
> There is a risk that changing the behaviour to allow timeouts to be
> overridden will lead to DoSs of query endpoints open to the world to some
> extent. This can be mitigated by defaulting to disallowing timeout overrides.
> I'm happy to put a patch together and document it at
> http://incubator.apache.org/jena/documentation/serving_data/.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
