Login in front of the TaskManager not needed?


#1

Hey guys,

I am just wondering if the TaskManager has or should have a login configured in front of it. What is your opinion? Should we configure this to restrict the access to it? What do you think?

Best,

Peter


#2

Hey peter,

we recommend restricting the access to the TaskManager. The first reason is that an unauthorized user could cancel the Jobs in the GUI. The second reason is that the API allows for adding new Jobs and could enable an attacker to start a denial of service attack against your TaskManager system, because it would only work on jobs created by the attacker and not jobs issued by Goobi.

Best,

Oliver


#3

Thanks Oliver. However I still have one more question:
Our TaskManager is running inside of our university VPN. So it is not accessible for the public. Should we add a restriction anyway? What is your experience with that?


#4

Hi Peter,

I would still recommend to restrict the access to the TaskManager, as users inside the network could cancel and add jobs. Of course this then depends on who has access to the VPN.


#5

ok, good point. Thanks for this comment. I will now restrict the access as soon as possible. :slight_smile: