Re: localhost host only webservices/authentication in general

Wed, 05 Nov 2008 16:57:46 -0800 


On Nov 6, 11:24 am, craic <[EMAIL PROTECTED]> wrote:
> with django, is it possible to restrict the calling host of particular
> urls to be the localhost?
>
> namely, is there a way to restrict say a set of web services
> implemented in django to be only accepted if they are the same domain
> as the hosted page?
>
> so if i have a php page on foo.com/bar.php, which contains javascript
> with some ajax calls to a web service:http://foo.com/ws/blah, that
> would be allowed.
>
> but if someone on another host/location atttemps to 
> call:http://foo.com/ws/blah
> they will get permission denied.

I'd say it isn't entirely clear what you are asking.

Do you mean you want to block access to anything but a web browser
which is run on a particular host (eg., on the same machine as the web
server), which is what first and last paragraph suggests.

Or, do you mean you want to block access to anything except for case
where web service is accessed from JavaScript running in a web page
hosted by the same web server, as second and third paragraph suggests.

If the first option, as someone else pointed out, if running Django
under Apache, that is relatively simple using something like:

  <Location /ws/blah>
  Order deny,allow
  Deny from all
  Allow from localhost
  Allow from 10.0.0.1 # or other IPs as required.
  </Location>

The second option is harder to do and not fool proof. It would
generally rely on looking at Referrer HTTP header to ensure that
access came via page hosted from same server, but most likely this
wouldn't be present for request initiated by JavaScript and someone
could fake up the Referrer HTTP header anyway and still gain access.

Graham
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---























					Reply via email to