You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ralph Crongeyer <rc...@oceaneering.com> on 2004/03/05 18:14:41 UTC
[users@httpd] Apache authentacation on a pre file basis?
Hi all,
I'm wondering if there is a way to do this:
I need Apache to check my existing database to see if the user is
permited to view the file (usually a .pdf file).
Currently the setup is via webpages/php a user logins into the
application and can only see what his/her group is allwoed. For instance
when the user clicks on a link a query is run and they are presented
with a list of files that there group is permited to see. They can
simply click on the link and view the file. Sometims more than one group
can see the same files. This is fine, accept, if the user knows where
the files are stored they may be able to bypass the "group security" and
see files that the web interface wouldn't normally allow them to.
How could this be best accomplished?
Thanks,
Ralph
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache authentacation on a pre file basis?
Posted by Joshua Slive <jo...@slive.ca>.
Ralph Crongeyer wrote:
> Hi all,
>
> I'm wondering if there is a way to do this:
>
> I need Apache to check my existing database to see if the user is
> permited to view the file (usually a .pdf file).
>
> Currently the setup is via webpages/php a user logins into the
> application and can only see what his/her group is allwoed. For instance
> when the user clicks on a link a query is run and they are presented
> with a list of files that there group is permited to see. They can
> simply click on the link and view the file. Sometims more than one group
> can see the same files. This is fine, accept, if the user knows where
> the files are stored they may be able to bypass the "group security" and
> see files that the web interface wouldn't normally allow them to.
>
> How could this be best accomplished?
The application that is doing the authentication (php in this case) must
deliver the file directly, rather than just linking to an uprotected
part of the web space. In other words, keep the pdf files in a
non-web-accessible area and have your php script read them from there
and send them to the client.
This is not a very nice solution, since it will probably destroy the
ability to byte-server, use sendfile, etc, but I don't know of any other
way.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org