That isn't the function of sandboxes.
Here is a code sample of my previously described approach. It is primitive, but
solves what you're trying to solve. Whatever directory your asset files live in
should be set to no web access. CF will be able to get the files, but a web
browser could not.
<cfif not IsDefined("Session.Auth.IsLoggedIn")>
<cfinclude template="../login.cfm">
<cfabort>
</cfif>
<cfparam name="url.filename" default="empty.txt">
<cfset thisPath = ExpandPath("*.*")>
<cfset DirectoryPath = GetDirectoryFromPath(thisPath)>
<cfset filepath = DirectoryPath & "files\">
<cfset thefile = filepath & url.filename>
<cfset fileext = ListGetAt(url.filename,2,".")>
<cfswitch expression="#fileext#">
<cfcase value="xls">
<cfset mimetype = "application/msexcel">
</cfcase>
<cfcase value="doc">
<cfset mimetype = "application/msword">
</cfcase>
<cfcase value="pdf">
<cfset mimetype = "application/pdf">
</cfcase>
<cfcase value="ppt">
<cfset mimetype = "application/vnd.ms-powerpoint">
</cfcase>
<cfcase value="pps">
<cfset mimetype = "application/vnd.ms-powerpoint">
</cfcase>
<cfcase value="txt">
<cfset mimetype = "text/plain">
</cfcase>
<cfdefaultcase>
<cfset mimetype = "">
</cfdefaultcase>
</cfswitch>
<cftry>
<cfheader name="Content-disposition" value="inline;
filename=#url.filename#">
<cfcontent file="#thefile#" type="#mimetype#">
<cfcatch>
There was a problem retrieving your file.
</cfcatch>
</cftry>
________________________________
From: Emile Melbourne <[email protected]>
To: [email protected]
Sent: Thursday, December 18, 2008 2:55:33 PM
Subject: Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory
Thanks guys for all your responces.
Only users who have logged in/authenticated should be should be authorized to
view these secured pdf files and images. In the future, I imagine specific
pdfs will be viewable to specific authenticated users which I suppose would be
the authorization topic Teddy is getting at. Am I right about this?
I'm going to test putting the files meant to be secure outside of the site root
folder and getting it to work that way.
I've also come accross settings found in the ADOBE COLDFUSION ADMINISTRATOR
meant to let users enable and disable access to specific files and directories
Security > Resource Security > CHECK "Enable ColdFusion Sandbox Security"
Do you guys know if this is also a solution to this particular problem?
Thanks Again
Emile
On Thu, Dec 18, 2008 at 1:43 PM, Teddy R. Payne <[email protected]> wrote:
Mischa,
Yes, but as you can see from Shawn's comment that Shawn was approaching the
topic from the point of authorization. From the response by Troy, this leads
to authentication.
So, his usage of diction or use of the word is indeed correct, but not everyone
interpreted it that way as it still provided some confusion regardless.
The solution may very well use both concepts to achieve his desired result.
A use that I have witnessed has to deal with Shawn's suggestion of putting the
files in a non-webroot accessible directory or network source. Then a
controller mechanism would have to understand how to "serve once" either
through a mechanism of of being an authenticated user with an authorized role
of being able to see a document. Or, the the site does not have authentication
and the mechanism must have a more introspective ability to discern a user
through their token, IP or whatever. The public approach would suggest a
tracking process to see if a particular requestor has asked for the document
before or not.
This also brings up the question, how do you determine who has the
authorization to request a particular artifact multiple times?
This may be over complicating his initial scope of the application, but these
are questions that I would ask whenever someone would task me with a File
serving application on potentially limited released documents.
In any event, I was not criticizing Emile. I was asking for more detail before
offering generic advice/guidance.
Teddy R. Payne, ACCFD
Google Talk - [email protected]
On Thu, Dec 18, 2008 at 1:32 PM, Mischa Uppelschoten ext 10
<[email protected]> wrote:
OP never used the word "authentication". From wikipedia: "authorization is the
concept of allowing access to resources only to those permitted to use them."
Seems to me he used the term properly.
/m
: Emile,
: From your description, you really need to define what "authorized" and "not
: authorized" means.
: This will help clarify to the people assisting you as to the approach they can
: suggest.
: As "authorization" and "authentication" often times are used interchangeably
: by developers when in fact they represent two distinctly different topics.
: Teddy R. Payne, ACCFD
: Google Talk - [email protected]
: On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne <[email protected]>
: wrote:
: Hey Everyone,
:
: I am currently in the process of building my first secured site. Most
pages
: of the site will be behind a login page. I'm using ColdFusion's
: Application.cfc onRequestStart function to check if a user is logged in or
: not. Thats pretty much boiler plate.
:
: My concern is how to prevent an non authorized user from accessing or
: hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc).
:
: Whats the best way to ensure a user can't link directly to these items but
: instead be redirected to login.cfm instead?
:
: Is there a way to lock down an entire directory?
:
: Thank you for all your help
: Emile
:
: -------------------------------------------------------------
: To unsubscribe from this list, manage your profile @
: http://www.acfug.org?fa=login.edituserform
:
: For more info, see http://www.acfug.org/mailinglists
: Archive @ http://www.mail-archive.com/discussion%40acfug.org/
: List hosted by FusionLink <http://www.fusionlink.com>
: -------------------------------------------------------------
: -------------------------------------------------------------
: To unsubscribe from this list, manage your profile @
: http://www.acfug.org?fa=login.edituserform
: For more info, see http://www.acfug.org/mailinglists
: Archive @ http://www.mail-archive.com/discussion%40acfug.org/
: List hosted by FusionLink <http://www.fusionlink.com>
: -------------------------------------------------------------
---------- Original Message ----------
FROM: "Teddy R. Payne" <[email protected]>
TO: <[email protected]>
DATE: Thu, 18 Dec 2008 13:25:15 -0500
SUBJECT: Re: [ACFUG Discuss] Blocking a ColdFusion website's directory
Emile,
>From your description, you really need to define what "authorized" and "not
>authorized" means.
This will help clarify to the people assisting you as to the approach they can
suggest.
As "authorization" and "authentication" often times are used interchangeably by
developers when in fact they represent two distinctly different topics.
Teddy R. Payne, ACCFD
Google Talk - [email protected]
On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne <[email protected]>
wrote:
Hey Everyone,
I am currently in the process of building my first secured site. Most pages
of the site will be behind a login page. I'm using ColdFusion's
Application.cfc onRequestStart function to check if a user is logged in or not.
Thats pretty much boiler plate.
My concern is how to prevent an non authorized user from accessing or
hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc).
Whats the best way to ensure a user can't link directly to these items but
instead be redirected to login.cfm instead?
Is there a way to lock down an entire directory?
Thank you for all your help
Emile
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?falogin.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
