Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Administrators are advised to give access to the services very carefully. Those services are designed with the purpose of being comprehensive, secure and general services that are exposing (almost) all functionality of midPoint. However, the implementation has not reached that stage yet. Some parts of the service will be further developed in the future. Current purpose of midPoint remote services is to allow access to few trusted applications that implement the barriers the midPoint services do not provide yet. The services are not meant to be used by end users directly.

There are many ways how the use of midPoint services may impact availability of midPoint functions, creating Denial of Service (DoS) situation. The user of the services may create messages that are too long, flood midPoint servers with many messages, depleting network resources, craft messages that overload the server hosting midPoint application or use similar mechanism. Therefore it is recommended to prohibit access to midPoint services on network level, make them available only to trusted entities.

Platform and Dependencies

MidPoint is an application, running on existing computing platform. There is operating system and Java platform as two major components. There are also engines that are embedded in midPoint, most notably Tomcat web server and Groovy, JavaScript and Python interpreters. Although we try to make sure that midPoint is interacting with the platform and its dependencies in a secure way, it is recommended to use the usual practice to secure the host system where midPoint is running, limit the exposure of midPoint network services and use similar security practices to limit the exposure of midPoint instance. Also, we try to make the scripting interpreters safe. However, the scripting languages create very complex environment, and as most software packages, some scripting operations may be vulnerable to some forms of attacks. Therefore it is recommended to follow security advisories of the scripting platform that you are using to create midPoint customizations (e.g. Groovy) and adapt your code to avoid vulnerabilities given by the platform.

Experimental Features

We recommend not  to use experimental features in security-sensitive deployments. Experimental features were subjected only to a very limited amount of testing - including security testing. The functionality may also change at any time in quite unexpected way, there is limited documentation and so on. Therefore you should either thoroughly test the experimental functionality yourself or do not use it at all.

...