Hey Teddy, That is by far great advice on how to tackle scalability, it make sense.
There maybe situations where this may not be a good tatic such as when a one to one connection between a pdf and the user account that owns it is required. However, I'd admit I would have overlooked that scalabilty solution you brought up. Glad you've mentioned how to manage it. Shawn, what is the purpose of the files and directory settings in the Sandbox? I suppose this should go into a separate thread. Also, I'm testing you script now. Emile On Thu, Dec 18, 2008 at 3:11 PM, Teddy R. Payne <[email protected]>wrote: > Emile, > You are correct. If you have authenticated users, you will eventually have > to approach how to programmatically change the behavior of your PDF files. > > Advice that I can give you would be to avoid a scalable pitfall of > assigning users to a particular file. Instead, assign a role to a file and > then assign a role to a user. This way, you are not adding 1000 users to > one file. You may add 1000 users to a role, but that never changes your > implementation of the role associated to a file. Does that make sense? > > Teddy R. Payne, ACCFD > Google Talk - [email protected] > > > > On Thu, Dec 18, 2008 at 3:03 PM, shawn gorrell <[email protected]>wrote: > >> That isn't the function of sandboxes. >> >> Here is a code sample of my previously described approach. It is >> primitive, but solves what you're trying to solve. Whatever directory your >> asset files live in should be set to no web access. CF will be able to get >> the files, but a web browser could not. >> >> <cfif not IsDefined("Session.Auth.IsLoggedIn")> >> <cfinclude template="../login.cfm"> >> <cfabort> >> </cfif> >> >> <cfparam name="url.filename" default="empty.txt"> >> <cfset thisPath = ExpandPath("*.*")> >> <cfset DirectoryPath = GetDirectoryFromPath(thisPath)> >> <cfset filepath = DirectoryPath & "files\"> >> <cfset thefile = filepath & url.filename> >> <cfset fileext = ListGetAt(url.filename,2,".")> >> >> <cfswitch expression="#fileext#"> >> <cfcase value="xls"> >> <cfset mimetype = "application/msexcel"> >> </cfcase> >> <cfcase value="doc"> >> <cfset mimetype = "application/msword"> >> </cfcase> >> <cfcase value="pdf"> >> <cfset mimetype = "application/pdf"> >> </cfcase> >> <cfcase value="ppt"> >> <cfset mimetype = "application/vnd.ms-powerpoint"> >> </cfcase> >> <cfcase value="pps"> >> <cfset mimetype = "application/vnd.ms-powerpoint"> >> </cfcase> >> <cfcase value="txt"> >> <cfset mimetype = "text/plain"> >> </cfcase> >> <cfdefaultcase> >> <cfset mimetype = ""> >> </cfdefaultcase> >> </cfswitch> >> >> <cftry> >> <cfheader name="Content-disposition" value="inline; >> filename=#url.filename#"> >> <cfcontent file="#thefile#" type="#mimetype#"> >> >> <cfcatch> >> There was a problem retrieving your file. >> </cfcatch> >> </cftry> >> >> ------------------------------ >> *From:* Emile Melbourne <[email protected]> >> *To:* [email protected] >> *Sent:* Thursday, December 18, 2008 2:55:33 PM >> *Subject:* Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's >> directory >> >> Thanks guys for all your responces. >> >> Only users who have logged in/authenticated should be should be authorized >> to view these secured pdf files and images. In the future, I imagine >> specific pdfs will be viewable to specific authenticated users which I >> suppose would be the authorization topic Teddy is getting at. Am I right >> about this? >> >> I'm going to test putting the files meant to be secure outside of the site >> root folder and getting it to work that way. >> >> I've also come accross settings found in the ADOBE COLDFUSION >> ADMINISTRATOR meant to let users enable and disable access to specific files >> and directories >> Security > Resource Security > CHECK "Enable ColdFusion Sandbox >> Security" >> >> Do you guys know if this is also a solution to this particular problem? >> >> Thanks Again >> Emile >> >> >> On Thu, Dec 18, 2008 at 1:43 PM, Teddy R. Payne <[email protected]>wrote: >> >>> Mischa, >>> Yes, but as you can see from Shawn's comment that Shawn was approaching >>> the topic from the point of authorization. From the response by Troy, this >>> leads to authentication. >>> >>> So, his usage of diction or use of the word is indeed correct, but not >>> everyone interpreted it that way as it still provided some confusion >>> regardless. >>> >>> The solution may very well use both concepts to achieve his desired >>> result. >>> >>> A use that I have witnessed has to deal with Shawn's suggestion of >>> putting the files in a non-webroot accessible directory or network source. >>> Then a controller mechanism would have to understand how to "serve once" >>> either through a mechanism of of being an authenticated user with an >>> authorized role of being able to see a document. Or, the the site does not >>> have authentication and the mechanism must have a more introspective ability >>> to discern a user through their token, IP or whatever. The public approach >>> would suggest a tracking process to see if a particular requestor has asked >>> for the document before or not. >>> >>> This also brings up the question, how do you determine who has the >>> authorization to request a particular artifact multiple times? >>> >>> This may be over complicating his initial scope of the application, but >>> these are questions that I would ask whenever someone would task me with a >>> File serving application on potentially limited released documents. >>> >>> In any event, I was not criticizing Emile. I was asking for more detail >>> before offering generic advice/guidance. >>> >>> Teddy R. Payne, ACCFD >>> Google Talk - [email protected] >>> >>> >>> >>> On Thu, Dec 18, 2008 at 1:32 PM, Mischa Uppelschoten ext 10 < >>> [email protected]> wrote: >>> >>>> OP never used the word "authentication". From wikipedia: "authorization >>>> is the concept of allowing access to resources only to those permitted to >>>> use them." Seems to me he used the term properly. >>>> /m >>>> >>>> >>>> >>>> : Emile, >>>> : From your description, you really need to define what "authorized" >>>> and "not >>>> : authorized" means. >>>> >>>> : This will help clarify to the people assisting you as to the approach >>>> they can >>>> : suggest. >>>> >>>> : As "authorization" and "authentication" often times are used >>>> interchangeably >>>> : by developers when in fact they represent two distinctly different >>>> topics. >>>> >>>> : Teddy R. Payne, ACCFD >>>> : Google Talk - [email protected] >>>> >>>> >>>> >>>> >>>> : On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne < >>>> [email protected]> >>>> : wrote: >>>> >>>> >>>> : Hey Everyone, >>>> : >>>> : I am currently in the process of building my first secured site. >>>> Most pages >>>> : of the site will be behind a login page. I'm using ColdFusion's >>>> : Application.cfc onRequestStart function to check if a user is logged >>>> in or >>>> : not. Thats pretty much boiler plate. >>>> : >>>> : My concern is how to prevent an non authorized user from accessing >>>> or >>>> : hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt >>>> etc). >>>> : >>>> : Whats the best way to ensure a user can't link directly to these >>>> items but >>>> : instead be redirected to login.cfm instead? >>>> : >>>> : Is there a way to lock down an entire directory? >>>> : >>>> : Thank you for all your help >>>> : Emile >>>> : >>>> >>>> : ------------------------------------------------------------- >>>> : To unsubscribe from this list, manage your profile @ >>>> : >>>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>>> : >>>> : For more info, see http://www.acfug.org/mailinglists >>>> : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>>> : List hosted by FusionLink <http://www.fusionlink.com> >>>> : ------------------------------------------------------------- >>>> >>>> >>>> >>>> : ------------------------------------------------------------- >>>> : To unsubscribe from this list, manage your profile @ >>>> : >>>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>>> >>>> : For more info, see http://www.acfug.org/mailinglists >>>> : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>>> : List hosted by FusionLink <http://www.fusionlink.com> >>>> : ------------------------------------------------------------- >>>> >>>> >>>> >>>> >>>> >>>> >>>> ---------- Original Message ---------- >>>> >>>> FROM: "Teddy R. Payne" <[email protected]> >>>> TO: <[email protected]> >>>> DATE: Thu, 18 Dec 2008 13:25:15 -0500 >>>> >>>> SUBJECT: Re: [ACFUG Discuss] Blocking a ColdFusion website's directory >>>> >>>> Emile, >>>> From your description, you really need to define what "authorized" and >>>> "not authorized" means. >>>> >>>> This will help clarify to the people assisting you as to the approach >>>> they can suggest. >>>> >>>> As "authorization" and "authentication" often times are used >>>> interchangeably by developers when in fact they represent two distinctly >>>> different topics. >>>> >>>> Teddy R. Payne, ACCFD >>>> Google Talk - [email protected] >>>> >>>> >>>> >>>> >>>> On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne < >>>> [email protected]> wrote: >>>> >>>> >>>> Hey Everyone, >>>> >>>> I am currently in the process of building my first secured site. >>>> Most pages of the site will be behind a login page. I'm using >>>> ColdFusion's >>>> Application.cfc onRequestStart function to check if a user is logged in or >>>> not. Thats pretty much boiler plate. >>>> >>>> My concern is how to prevent an non authorized user from accessing or >>>> hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). >>>> >>>> Whats the best way to ensure a user can't link directly to these >>>> items but instead be redirected to login.cfm instead? >>>> >>>> Is there a way to lock down an entire directory? >>>> >>>> Thank you for all your help >>>> Emile >>>> >>>> >>>> ------------------------------------------------------------- >>>> To unsubscribe from this list, manage your profile @ >>>> >>>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>>> >>>> For more info, see http://www.acfug.org/mailinglists >>>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>>> List hosted by FusionLink <http://www.fusionlink.com> >>>> ------------------------------------------------------------- >>>> >>>> >>>> >>>> ------------------------------------------------------------- >>>> To unsubscribe from this list, manage your profile @ >>>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>>> >>>> For more info, see http://www.acfug.org/mailinglists >>>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>>> List hosted by FusionLink <http://www.fusionlink.com> >>>> ------------------------------------------------------------- >>>> >>>> >>>> ------------------------------------------------------------- >>>> To unsubscribe from this list, manage your profile @ >>>> http://www.acfug.org?falogin.edituserform<http://www.acfug.org/?falogin.edituserform> >>>> >>>> For more info, see http://www.acfug.org/mailinglists >>>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>>> List hosted by http://www.fusionlink.com >>>> ------------------------------------------------------------- >>>> >>>> >>>> >>>> >>> >>> ------------------------------------------------------------- >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink <http://www.fusionlink.com/> >>> ------------------------------------------------------------- >> >> >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by FusionLink <http://www.fusionlink.com/> >> ------------------------------------------------------------- >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by FusionLink <http://www.fusionlink.com/> >> ------------------------------------------------------------- > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform> > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink <http://www.fusionlink.com/> > ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
