Re: Site security
Well, if you have your admin side as a separate application (on the same app-server) than the solution I mentioned could work if the front- end web-server is separate. In that case, you can link one (public) server against the app context of the public app, and a separate (internal) webserver against the context that should be inaccessible. In neither case can anyone access the app-server directly. But if you have a single web-server/app-server with both things available, then you can't really prevent access by ip/mac address reliably. You should, rather, have a user/role system in place such that only those users who are logged in and have role-based access to the admin app can even see it, let alone use it. Christian. On 11-Feb-09, at 07:08 , James Sherwood wrote: Hello, Thanks for the reply. I have a public side(anyone is allowed to access) and an admin side(very restricted), both on the same server. Will this still solve my issue if I use 2 webservers or will I need 2 separate servers? --James -Original Message- From: Christian Edward Gruber [mailto:christianedwardgru...@gmail.com] Sent: February-10-09 7:45 PM To: Tapestry users Subject: Re: Site security The best way (and this is really not a T5 issue) is not to rely on MAC or IP addresses, as these can be forged. You should set up a virtual private network, and only allow those within that VPN to access the site. The remote users log-on to the VPN, and people inside your network already have access, so no one from the internet in general can even see the server. Christian. On 10-Feb-09, at 18:31 , James Sherwood wrote: Hello, I was wondering what would be the best way to implement this security(sorry if it is outside the scope of T5): I am only going to allow a certain IP range to log into the site, however some people need to use the site from laptops on the road. What is the best way to accomplish this? I was thinking through the mac address of the machine maybe or something of that nature? Thanks, --James Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
RE: Site security
Hello, Thanks, The admin side is a full user/role deal but they are being very strict on security. The public side is a separate app so I'm good, thanks for your help. --James -Original Message- From: Christian Edward Gruber [mailto:christianedwardgru...@gmail.com] Sent: February-11-09 1:38 PM To: Tapestry users Subject: Re: Site security Well, if you have your admin side as a separate application (on the same app-server) than the solution I mentioned could work if the front- end web-server is separate. In that case, you can link one (public) server against the app context of the public app, and a separate (internal) webserver against the context that should be inaccessible. In neither case can anyone access the app-server directly. But if you have a single web-server/app-server with both things available, then you can't really prevent access by ip/mac address reliably. You should, rather, have a user/role system in place such that only those users who are logged in and have role-based access to the admin app can even see it, let alone use it. Christian. On 11-Feb-09, at 07:08 , James Sherwood wrote: Hello, Thanks for the reply. I have a public side(anyone is allowed to access) and an admin side(very restricted), both on the same server. Will this still solve my issue if I use 2 webservers or will I need 2 separate servers? --James -Original Message- From: Christian Edward Gruber [mailto:christianedwardgru...@gmail.com] Sent: February-10-09 7:45 PM To: Tapestry users Subject: Re: Site security The best way (and this is really not a T5 issue) is not to rely on MAC or IP addresses, as these can be forged. You should set up a virtual private network, and only allow those within that VPN to access the site. The remote users log-on to the VPN, and people inside your network already have access, so no one from the internet in general can even see the server. Christian. On 10-Feb-09, at 18:31 , James Sherwood wrote: Hello, I was wondering what would be the best way to implement this security(sorry if it is outside the scope of T5): I am only going to allow a certain IP range to log into the site, however some people need to use the site from laptops on the road. What is the best way to accomplish this? I was thinking through the mac address of the machine maybe or something of that nature? Thanks, --James Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Site security
The best way (and this is really not a T5 issue) is not to rely on MAC or IP addresses, as these can be forged. You should set up a virtual private network, and only allow those within that VPN to access the site. The remote users log-on to the VPN, and people inside your network already have access, so no one from the internet in general can even see the server. Christian. On 10-Feb-09, at 18:31 , James Sherwood wrote: Hello, I was wondering what would be the best way to implement this security(sorry if it is outside the scope of T5): I am only going to allow a certain IP range to log into the site, however some people need to use the site from laptops on the road. What is the best way to accomplish this? I was thinking through the mac address of the machine maybe or something of that nature? Thanks, --James Christian Edward Gruber christianedwardgru...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org