Hello,
While I was securing XData server with Sphinx authentication using XDataServerJWT.ExpectedIssuers list, I noticed that when you empty this list, but forget a blank line, the server becomes unreachable. The blank line in the list is interpreted as a server (which doesn't exist) and therefore denies access.
Kind regards,
Hi Ghazali,
Then you should remove the blank line.
Hi Wagner,
That's what I did. The idea was to point it out, so that someone else wouldn't waste too match time looking for such an error as I did.
Thank you,
I understand.
But this is very sensitive configuration, it regards security. For example, if user does this from code:
ExpectedIssuers.Add('');
I personally think the validation should fail. So I think even though it might be hard to find, the empty string was included by you. So I prefer that the server rejects any request due to a misconfiguration, than making it less string and accepting such misconfiguration just for the sake of being more "friendly" to the developer. Again, just in this specific case, because it involved server security.
Hi Wagner,
You are absolutely right. Security is very important.
Thank you for these explanations and for keeping security first.
Kind regards,