RE: Site security
Hello, Thanks, The admin side is a full user/role deal but they are being very strict on security. The public side is a separate app so I'm good, thanks for your help. --James -Original Message- From: Christian Edward Gruber [mailto:christianedwardgru...@gmail.com] Sent: February-11-09 1:38 PM To: Tapestry users Subject: Re: Site security Well, if you have your admin side as a separate application (on the same app-server) than the solution I mentioned could work if the front- end web-server is separate. In that case, you can link one (public) server against the app context of the public app, and a separate (internal) webserver against the context that should be inaccessible. In neither case can anyone access the app-server directly. But if you have a single web-server/app-server with both things available, then you can't really prevent access by ip/mac address reliably. You should, rather, have a user/role system in place such that only those users who are logged in and have role-based access to the admin app can even see it, let alone use it. Christian. On 11-Feb-09, at 07:08 , James Sherwood wrote: > Hello, > > Thanks for the reply. > > I have a public side(anyone is allowed to access) and an admin > side(very > restricted), both on the same server. Will this still solve my > issue if I > use 2 webservers or will I need 2 separate servers? > > --James > > -Original Message- > From: Christian Edward Gruber [mailto:christianedwardgru...@gmail.com] > Sent: February-10-09 7:45 PM > To: Tapestry users > Subject: Re: Site security > > The best way (and this is really not a T5 issue) is not to rely on MAC > or IP addresses, as these can be forged. You should set up a virtual > private network, and only allow those within that VPN to access the > site. The remote users log-on to the VPN, and people inside your > network already have access, so no one from the internet in general > can even see the server. > > Christian. > > On 10-Feb-09, at 18:31 , James Sherwood wrote: > >> Hello, >> >> >> >> I was wondering what would be the best way to implement this >> security(sorry >> if it is outside the scope of T5): >> >> >> >> I am only going to allow a certain IP range to log into the site, >> however >> some people need to use the site from laptops on the road. >> >> >> >> What is the best way to accomplish this? I was thinking through the >> mac >> address of the machine maybe or something of that nature? >> >> >> >> Thanks, >> >> --James >> > > Christian Edward Gruber > christianedwardgru...@gmail.com > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Site security
Well, if you have your admin side as a separate application (on the same app-server) than the solution I mentioned could work if the front- end web-server is separate. In that case, you can link one (public) server against the app context of the public app, and a separate (internal) webserver against the context that should be inaccessible. In neither case can anyone access the app-server directly. But if you have a single web-server/app-server with both things available, then you can't really prevent access by ip/mac address reliably. You should, rather, have a user/role system in place such that only those users who are logged in and have role-based access to the admin app can even see it, let alone use it. Christian. On 11-Feb-09, at 07:08 , James Sherwood wrote: Hello, Thanks for the reply. I have a public side(anyone is allowed to access) and an admin side(very restricted), both on the same server. Will this still solve my issue if I use 2 webservers or will I need 2 separate servers? --James -Original Message- From: Christian Edward Gruber [mailto:christianedwardgru...@gmail.com] Sent: February-10-09 7:45 PM To: Tapestry users Subject: Re: Site security The best way (and this is really not a T5 issue) is not to rely on MAC or IP addresses, as these can be forged. You should set up a virtual private network, and only allow those within that VPN to access the site. The remote users log-on to the VPN, and people inside your network already have access, so no one from the internet in general can even see the server. Christian. On 10-Feb-09, at 18:31 , James Sherwood wrote: Hello, I was wondering what would be the best way to implement this security(sorry if it is outside the scope of T5): I am only going to allow a certain IP range to log into the site, however some people need to use the site from laptops on the road. What is the best way to accomplish this? I was thinking through the mac address of the machine maybe or something of that nature? Thanks, --James Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
RE: Site security
Hello, Thanks for the reply. I have a public side(anyone is allowed to access) and an admin side(very restricted), both on the same server. Will this still solve my issue if I use 2 webservers or will I need 2 separate servers? --James -Original Message- From: Christian Edward Gruber [mailto:christianedwardgru...@gmail.com] Sent: February-10-09 7:45 PM To: Tapestry users Subject: Re: Site security The best way (and this is really not a T5 issue) is not to rely on MAC or IP addresses, as these can be forged. You should set up a virtual private network, and only allow those within that VPN to access the site. The remote users log-on to the VPN, and people inside your network already have access, so no one from the internet in general can even see the server. Christian. On 10-Feb-09, at 18:31 , James Sherwood wrote: > Hello, > > > > I was wondering what would be the best way to implement this > security(sorry > if it is outside the scope of T5): > > > > I am only going to allow a certain IP range to log into the site, > however > some people need to use the site from laptops on the road. > > > > What is the best way to accomplish this? I was thinking through the > mac > address of the machine maybe or something of that nature? > > > > Thanks, > > --James > Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Site security
The best way (and this is really not a T5 issue) is not to rely on MAC or IP addresses, as these can be forged. You should set up a virtual private network, and only allow those within that VPN to access the site. The remote users log-on to the VPN, and people inside your network already have access, so no one from the internet in general can even see the server. Christian. On 10-Feb-09, at 18:31 , James Sherwood wrote: Hello, I was wondering what would be the best way to implement this security(sorry if it is outside the scope of T5): I am only going to allow a certain IP range to log into the site, however some people need to use the site from laptops on the road. What is the best way to accomplish this? I was thinking through the mac address of the machine maybe or something of that nature? Thanks, --James Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Site security
Hello, I was wondering what would be the best way to implement this security(sorry if it is outside the scope of T5): I am only going to allow a certain IP range to log into the site, however some people need to use the site from laptops on the road. What is the best way to accomplish this? I was thinking through the mac address of the machine maybe or something of that nature? Thanks, --James