We use the following approach:
1. Request to file is handled by Apache with mod_rewrite rule that triggers
a rewrite map
2. Rewrite map is actually a PHP-script that makes a request to directAction
of our application responsible for authorization that returns either an URL
to resource or an URL to error page.
3. Returned URL is returned to client via rewrite rule.
4. All the URLs to resources can be accessed only by localhost and client
doesn¹t see the final urls thanks to mod_rewrite.
Pseudo-code for httpd.conf:
RewriteRule ^/download/(.*) ${authmap:$1} [L]
RewriteMap authmap prg:/Library/WebServer/CGI-Executables/auth.php
You can use any other language in place of PHP. Part of URL after /download/
can contain sessionID that is further passed as a parameter to directAction
by PHP module to prevent bookmarking. Initial request to /download/ can be
generated by another directAction that can return redirect to this URL.
We use this approach in a production environment for an application under
high load and everything seems to be working fast and stable. Ranges in
request header are preserved as well so resuming of downloads is natively
supported by Apache.
Regards,
Denis.
on 12/13/05 5:58 AM, Dov Rosenberg at [EMAIL PROTECTED] wrote:
> Our application has its own security model that controls access to our
> information based on our own roles and permissions. We store files related to
> our application on the file system where our application is running. These
> associated files are served out by a web server. Our goal is to come up with a
> scheme where we could apply our security model to control access to these
> files via the web server. For example someone associates a PDF with some
> meta data. We don¹t want the user to be able to bookmark the underlying URL
> and email it to their friends for them to download without having them
> authenticated by our service.
>
> We are looking at a couple of different ideas.
>
> 1. Create a servlet filter to sit in front of the resources requests and
> somehow tie that into our application logic
> 2. Create a regular proxy type of servlet that can accept requests and
> validate them using our security model
> 3. Figure out a way to secure the filesystem using a Proxy server of some
> type.
>
> Any other thoughts or ideas are appreciated. Thanks in advance
>
>
---
Denis Frolov
Media Agency Design Maximum
Tel: +7 863 2648211
Fax: +7 863 2645229
Web: http://www.designmaximum.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to archive@mail-archive.com
