You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cocoon.apache.org by 32...@gmail.com on 2006/07/19 17:40:20 UTC

Restrict access to parts of sitemap

Hi,

right now, I am creating a Lucene index with this entry in my sitemap:

<map:match pattern="buildIndex">
        <map:generate src="http://localhost:8080//index.xml"/>
       <map:transform type="index"/>
       <map:serialize type="xml"/>
 </map:match>

<map:match pattern="index.xml">
              <map:generate type="file"
src="documents/xml/search_index.xml"/>
              <map:transform type="sql">
                  <map:parameter name="use-connection" value="mysql-pool"/>
             </map:transform>
             <map:transform src="documents/stylesheets/index.xsl"/>
             <map:serialize type="xml"/>
 </map:match>

which means every (outside) user could be able to start the index when
calling buildIndex. I would like to avoid that. Question is: how?
Internal pipeline would help for index.xml, but for buildIndex?

Thanks for your answers
Marco

Re: Restrict access to parts of sitemap

Posted by 32...@gmail.com.

Hello,
thanks to both of you for the answers. Will look into it tomorrow; now it's
time for my beauty sleep. ;)
Marco


2006/7/20, Andrew Stevens <at...@hotmail.com>:
>
> >From: "Bertrand Delacretaz" <bd...@apache.org>
> >Date: Thu, 20 Jul 2006 10:13:06 +0200
> >
> >On 7/19/06, 321los@gmail.com <32...@gmail.com> wrote:
> >
> >>...<map:match pattern="buildIndex">
> >>         <map:generate src="http://localhost:8080//index.xml
> >>"/>...
> >
> >
> >>...which means every (outside) user could be able to start the index
> when
> >>calling buildIndex. I would like to avoid that. Question is: how? ..
> >
> >The clean and safest way is to use Cocoon's authentication framework
> >to require authentication before accessing buildindex.
> >
> >But you could also:
> >
> >a) check the client's IP address and allow only requests from
> >localhost to buildindex (if you're using a reverse proxy in front of
> >Cocoon you'll get this via the X-Forwarded-For header, which you can
> >check with a WildcardHeaderMatcher, but see
> >
> http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat
> )
> >
> >b) use security by obscurity and use a hard go guess URL instead of
> >buildindex. It's not really safe but the risks are not very high
> >either if it's just for index creation
> >
> >-Bertrand
>
> Another possibility - you could always use the J2EE container-provided
> security and add a security-constraint to your web.xml for
> <url-pattern>/buildindex</url-pattern>.  That might be simpler than
> learning
> the authentication framework or acegi if don't need to authenticate users
> in
> the rest of your site.
>
>
> Andrew.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
> For additional commands, e-mail: users-help@cocoon.apache.org
>
>

Re: Restrict access to parts of sitemap

Posted by Andrew Stevens <at...@hotmail.com>.

>From: Thomas Soddemann <so...@rzg.mpg.de>
>Date: Thu, 20 Jul 2006 13:57:42 -0600
>
>Andrew Stevens wrote:
>>
>>Another possibility - you could always use the J2EE container-provided 
>>security and add a security-constraint to your web.xml for 
>><url-pattern>/buildindex</url-pattern>.  That might be simpler than 
>>learning the authentication framework or acegi if don't need to 
>>authenticate users in the rest of your site.
>>
>Hi Andrew,
>
>what do you mean by "if [you] don't need to authenticate ..."?

Only that if you did have such a need, then for a full-blown authentication 
& authorisation solution the other mechanisms generally get mentioned here 
on the lists in preference to the J2EE security; if you didn't have that 
requirement, the standard J2EE mechanism may be quicker to get up & running 
than learning some other new method.  Of course, if you're using 
authentication on the rest of your site anyway, you could just use that 
mechanism to restrict the buildindex page to your own account.

>The remoteUser property is set in the HttpRequest if a user is 
>authenticated and can e.g. be used for authorization (apart from the 
>configurational authorization you have already mentioned).

It may depend on the container you're using, but in general I've found that 
even after logging in getRemoteUser returns null unless it's a request for a 
protected page (i.e. it's covered by a security constraint) in which case 
you'll probably have a role specified anyway.

>Depending on the security modul employed, additional informations are 
>"shipped" with each HttpRequest or set in the session.
>
>Thomas

Andrew.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: Restrict access to parts of sitemap

Posted by Thomas Soddemann <so...@rzg.mpg.de>.

Andrew Stevens wrote:
>
> Another possibility - you could always use the J2EE container-provided 
> security and add a security-constraint to your web.xml for 
> <url-pattern>/buildindex</url-pattern>.  That might be simpler than 
> learning the authentication framework or acegi if don't need to 
> authenticate users in the rest of your site.
>
Hi Andrew,

what do you mean by "if [you] don't need to authenticate ..."?
The remoteUser property is set in the HttpRequest if a user is 
authenticated and can e.g. be used for authorization (apart from the 
configurational authorization you have already mentioned). Depending on 
the security modul employed, additional informations are "shipped" with 
each HttpRequest or set in the session.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: Restrict access to parts of sitemap

Posted by Andrew Stevens <at...@hotmail.com>.

>From: "Bertrand Delacretaz" <bd...@apache.org>
>Date: Thu, 20 Jul 2006 10:13:06 +0200
>
>On 7/19/06, 321los@gmail.com <32...@gmail.com> wrote:
>
>>...<map:match pattern="buildIndex">
>>         <map:generate src="http://localhost:8080//index.xml
>>"/>...
>
>
>>...which means every (outside) user could be able to start the index when
>>calling buildIndex. I would like to avoid that. Question is: how? ..
>
>The clean and safest way is to use Cocoon's authentication framework
>to require authentication before accessing buildindex.
>
>But you could also:
>
>a) check the client's IP address and allow only requests from
>localhost to buildindex (if you're using a reverse proxy in front of
>Cocoon you'll get this via the X-Forwarded-For header, which you can
>check with a WildcardHeaderMatcher, but see
>http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat)
>
>b) use security by obscurity and use a hard go guess URL instead of
>buildindex. It's not really safe but the risks are not very high
>either if it's just for index creation
>
>-Bertrand

Another possibility - you could always use the J2EE container-provided 
security and add a security-constraint to your web.xml for 
<url-pattern>/buildindex</url-pattern>.  That might be simpler than learning 
the authentication framework or acegi if don't need to authenticate users in 
the rest of your site.


Andrew.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: Restrict access to parts of sitemap

Posted by Bertrand Delacretaz <bd...@apache.org>.

On 7/19/06, 321los@gmail.com <32...@gmail.com> wrote:

> ...<map:match pattern="buildIndex">
>         <map:generate src="http://localhost:8080//index.xml
> "/>...


> ...which means every (outside) user could be able to start the index when
> calling buildIndex. I would like to avoid that. Question is: how? ..

The clean and safest way is to use Cocoon's authentication framework
to require authentication before accessing buildindex.

But you could also:

a) check the client's IP address and allow only requests from
localhost to buildindex (if you're using a reverse proxy in front of
Cocoon you'll get this via the X-Forwarded-For header, which you can
check with a WildcardHeaderMatcher, but see
http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat)

b) use security by obscurity and use a hard go guess URL instead of
buildindex. It's not really safe but the risks are not very high
either if it's just for index creation

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org