Comments on: SLGA: Capabilities explained (technical)

By: The Thieves Motherload - Page 42 - SLUniverse Forums

The Thieves Motherload - Page 42 - SLUniverse Forums — Fri, 30 Oct 2009 17:57:34 +0000

[...] to the "Approach" subsection) Maxping - Inside the Opensim Asset Server SL specific: mrtopf.de � Blog Archive � SLGA: Capabilities explained (technical) Image Pipeline - Second Life Wiki Here’s an example of the flowchart of the image pipeline… [...]

By: Christian Scholz

Christian Scholz — Sun, 29 Mar 2009 20:07:11 +0000

Right, the asset server does not do a check anymore.. This is intentional by Linden Lab AFAIK because they want to leave this whole security thing to one central component.
The point here is though that the asset server is inside an internal network and cannot be reached except via this capability proxy. So as long as you cannot access the internal network you should be safe. The UUID btw is just assigned randomly and remembered inside a database in the proxy and expiring after some time. Guessing it should be quite hard.

And yes, it’s an additional request to the service to first get the UUID-mapped URL. You can retrieve multiple capabilities at once though.

And I must say that I am also not a big fan of this. I personally would still check the request on each sub-service and having some sort of header based auth would also be easier to implement with most web frameworks. There are also mechanisms like OAuth now which are already used by many parties, have library implementations and a growing community. They might not be perfect for that job yet but changes can always be made by participating in these communities.

Your suggestion might actually work as long as you only request one capability. But then again, why not simply put the seed cap into a header field and use this as a session and you might still be able to implement this capability mechanism internally.

But we have to see what actually will come out of the MMOX discussion at the IETF as also Linden Lab employees are looking more at OAuth these days. A final result will take some time though.

By: Ben Turas

Ben Turas — Thu, 19 Mar 2009 14:34:40 +0000

Thinking some more about this capabilities architecture, getting a proxy once and use it many times is risky. The asset server doesn’t validate the request anymore. So the moment someone manages to break the algorithm of going from a UUID to the URL for the asset server, anything can be asked for. This means that only stuff that is free to use for everyone can be acquired with this “get once use many” proxy.

All other stuff needs to be done by first going to the caps server to get a proxy and then fire the request to the second server. The first call checks access and more, the second call delivers the data.

Why not have the caps server forward the request to the asset server and returns the answer in one turn around ! This will save one network request and have the same result.

greetings, Ben

By: RANT: Sharks in the water. - Page 7 - SLUniverse Forums

RANT: Sharks in the water. - Page 7 - SLUniverse Forums — Fri, 18 Jul 2008 05:53:03 +0000

[...] have no DRM. And surprise, neither do scripts. again, capabilities for people who missed it. SLGA: Capabilities explained (technical) — mrtopf.de [...]

By: RANT: Sharks in the water. - Page 6 - SLUniverse Forums

RANT: Sharks in the water. - Page 6 - SLUniverse Forums — Thu, 17 Jul 2008 17:33:53 +0000

[...] by capabilities, and I don’t see why not. anyway, here is the explanation of capabilities for SL SLGA: Capabilities explained (technical) — mrtopf.de __________________ "To begin with," said the Cat, "a dog’s not mad. You grant [...]

By: Setting up a framework for a Python implementation of the Open Grid Protocol (technical) — mrtopf.de

Sat, 17 May 2008 22:44:06 +0000

[...] I tried to get the capsserver from Linden Lab to run which is included in mulib (more about Capabilities here). [...]

By: Open grids and distributed asset systems « justincc’s opensim blog

Open grids and distributed asset systems « justincc’s opensim blog — Thu, 24 Apr 2008 21:06:59 +0000

[...] to the region). However, with the new CAPS method of retrieving inventory (see here for an explanation of CAPS), it might be possible to provide a capability which routes inventory requests directly to a grid [...]

By: UgoTrade » Blog Archive » Open Source Virtual Worlds Pushing the Envelope

Wed, 26 Mar 2008 04:22:28 +0000

[...] “Capabilities” server is designed to take in the Linden Lab vision of an open grid read Christian Scholz’s (Tao Takashi’s blog). I will write more in another post as I have already heard a variety of opinions on the [...]

By: SLGA: Linden Lab releases Capabilities Server as Open Source (technical) — mrtopf.de

Wed, 19 Mar 2008 13:54:38 +0000

[...] The capabilities server is one of the core modules needed for the Second Life Grid to run and will play a big part in the interconnectivity protocol which the AWG is working on. If you want to know more about Capabilities please have a look at my summary. [...]

By: Morgaine Dinova

Morgaine Dinova — Sat, 15 Mar 2008 09:15:11 +0000

This is an excellent article, Tao, very “tutorial”.

In AWG we learned about caps by gradual osmosis and so the understanding gradually seeped in, but for newcomers to our sessions the concept might appear quite obscure. I think this tutorial will help remedy that.

Well done.