? about protect resources

[So...@aol.com]

Hi, we have some pdf's on our server- sensitive info. Right now u can
enter url that hits those pdf's directly and download them. That is not good
ofcourse we need security. Need to check if they are currently logged in, or
atleast if they have our cookies with a uid and pw on it. Ofcourse there is
basic authentication, but we want to avoid that for that ugly pop up login
screen. So wondering from the webserver level, if there is a way that you
can protect directory, with the criteria for accessing that directory being
a session cookie. Is there a module you can configure, u can tell it what
cookie to look for (eg. sessionid), maybe even see of that sessionid is
currently valid. Any other possibilites to do it without basic auth and
those pop up logins. Thanks, Jake

RE: ? about protect resources

[cga <cg...@ciudad.com.ar>]

First of all, active that ugly security. If they are sensitive, you should
first protect them and then look to see if they a pretty.

Why don't you do a servlet to return the pdfs?
I think that if you don't like the web server authentication, you should
implement your own. And that includes login.

Bye,

Gaston


----- Original Message -----
From: <So...@aol.com>
To: <ge...@jakarta.apache.org>
Sent: Friday, January 12, 2001 5:06 PM
Subject: ? about protect resources


> Hi, we have some pdf's on our server- sensitive info. Right now u can
> enter url that hits those pdf's directly and download them. That is not
good
> ofcourse we need security. Need to check if they are currently logged in,
or
> atleast if they have our cookies with a uid and pw on it. Ofcourse there
is
> basic authentication, but we want to avoid that for that ugly pop up login
> screen. So wondering from the webserver level, if there is a way that you
> can protect directory, with the criteria for accessing that directory
being
> a session cookie. Is there a module you can configure, u can tell it what
> cookie to look for (eg. sessionid), maybe even see of that sessionid is
> currently valid. Any other possibilites to do it without basic auth and
> those pop up logins. Thanks, Jake
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>

Re: ? about protect resources

[Andrew Cockburn <ac...@aqualog.co.uk>]

I have solved a similar problem and I did use basic auth.

The trick to avoid the popup authentication is to use a URL of the form :

http://<user>:<password>@www.x.y.com

This gets you straight through to the resource, and will only popup a window
if the username and password are wrong. This means you need to generate a
link on your page somehow with the username and password embedded which is
insecure, but not as bad as no security. You can hide this somewhat by
putting it in a javascript routine so that the password is not visible in
the status bar when the user hovers over the link - this means that someone
has to go actively looking through the page source to find it.

The final piece of the jigsaw is to write a utility that will generate
access files for your webserver (maybe from usernames and passwords in your
database ?)- this is relatively easy if you are using apache, I haven't
tried any other. The only difficulty is encrypting passwords in the password
file, and I found a class to do that for me.

Hope this helps,

Regards,

Andrew

----- Original Message -----
From: <So...@aol.com>
To: <ge...@jakarta.apache.org>
Sent: Friday, January 12, 2001 8:06 PM
Subject: ? about protect resources


> Hi, we have some pdf's on our server- sensitive info. Right now u can
> enter url that hits those pdf's directly and download them. That is not
good
> ofcourse we need security. Need to check if they are currently logged in,
or
> atleast if they have our cookies with a uid and pw on it. Ofcourse there
is
> basic authentication, but we want to avoid that for that ugly pop up login
> screen. So wondering from the webserver level, if there is a way that you
> can protect directory, with the criteria for accessing that directory
being
> a session cookie. Is there a module you can configure, u can tell it what
> cookie to look for (eg. sessionid), maybe even see of that sessionid is
> currently valid. Any other possibilites to do it without basic auth and
> those pop up logins. Thanks, Jake
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>
>