Re: [Zope] Preventing files from being viewed by web clients
Brian wrote at 2006-5-8 13:19 -0500: I have a flash app that accesses .xml files. The source is viewable and some creative crackers have figured out how to meld a url together to get vital information from those .xml's. I need to prevent the web client from directly accessing them. Is there a directive (such as Apache's) or mechnisim to keep web clients from accessing yet allow my app access these files? As others reported, there is no easy solution. However, flash is probably intelligent enough that is could be able to implement what I call the trusted application concept. A trusted application somehow contains a secret (something like application_id and application_passwod) it can use to prove to the server that it has send the request (and not some other application). Kerberos is a standard protocol to implement trusted applications (among others). If you do not have Kerberos, you can do something similar of your own. Look at HTTP Digest Authentication to learn how the application can send its secret in an uncromprimizing way. On the server side, you make your resources inaccessible by untrusted access and use a script (probably an ExternalMethod) that checks the application credentials and grants access to your sensible resources only when it can prove the application is trusted. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Preventing files from being viewed by web clients
I have a flash app that accesses .xml files. The source is viewable and some creative crackers have figured out how to meld a url together to get vital information from those .xml's. I need to prevent the web client from directly accessing them. Is there a directive (such as Apache's) or mechnisim to keep web clients from accessing yet allow my app access these files? Somthing like FilesMatch \.(?i:gif|jpe?g|xml)$ Order allow,deny Allow from some file name Deny from all some other web trick /FilesMatch in zope.conf or ??? TIA Brian ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Preventing files from being viewed by web clients
On 5/8/06, Brian [EMAIL PROTECTED] wrote: I have a flash app that accesses .xml files. The source is viewable and some creative crackers have figured out how to meld a url together to get vital information from those .xml's. I need to prevent the web client from directly accessing them. Is there a directive (such as Apache's) or mechnisim to keep web clients from accessing yet allow my app access these files? Somthing like FilesMatch \.(?i:gif|jpe?g|xml)$ Order allow,deny Allow from some file name Deny from all some other web trick /FilesMatch in zope.conf or ??? Zopes security is based on being authenticated, so no. What you can do it let the Flash app login as a special user, and make the files only accessible to that user. To prevent people from sneaking the password from the IP-traffic, you also need to use SSL from the Flash app. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Preventing files from being viewed by web clients
--On 8. Mai 2006 13:19:02 -0500 Brian [EMAIL PROTECTED] wrote: I have a flash app that accesses .xml files. The source is viewable and some creative crackers have figured out how to meld a url together to get vital information from those .xml's. I need to prevent the web client from directly accessing them. Is there a directive (such as Apache's) or mechnisim to keep web clients from accessing yet allow my app access these files? This question makes little sense. If your flash app must accest the .xml file then it must be accessible for everyone. You think about checking the user agent for flash apps but all this stuff can be faked. -aj -- ZOPYX Ltd. Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany Web: www.zopyx.com - Email: [EMAIL PROTECTED] - Phone +49 - 7071 - 793376 E-Publishing, Python, Zope Plone development, Consulting pgpUYTMwCc2hQ.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Preventing files from being viewed by web clients
Brian wrote: I have a flash app that accesses .xml files. The source is viewable and some creative crackers have figured out how to meld a url together to get vital information from those .xml's. Well, dont put vital information there :-) I need to prevent the web client from directly accessing them. Is there a directive (such as Apache's) or mechnisim to keep web clients from accessing yet allow my app access these files? Your flash app is a web client too and thus indistinguishable from any other web client. Somthing like FilesMatch \.(?i:gif|jpe?g|xml)$ Order allow,deny Allow from some file name what exactly would you want to put into this hypothetical statement? :-) Deny from all some other web trick /FilesMatch in zope.conf or ??? No. Just dont send something over the web to any client what you dont want to send to people. Everything you send can and will be read no matter whats the intended client is. SSL nor custom auth will prevent people from reading it. (see tcpflow and openssl client) Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )