Emile,
I'll send you my Adobe Max presentation on this very topic
(authorization), specifically addressing the different attack patterns
and high level solutions appropriate for any language, though the
examples are CF-specific. It may take me a day or so until I get back
to work and can forward it. If anyone else wishes a copy drop me a
line at dean.saxe [at] foundstone.com.
Thanks,
-dhs
Dean H. Saxe, CISSP, CEH
[email protected]
"What difference does it make to the dead, the orphans, and the
homeless, whether the mad destruction is wrought under the name of
totalitarianism or the holy name of liberty and democracy? "
--Gandhi
On Dec 18, 2008, at 5:24 PM, Emile Melbourne wrote:
Hey Teddy,
That is by far great advice on how to tackle scalability, it make
sense.
There maybe situations where this may not be a good tatic such as
when a one to one connection between a pdf and the user account that
owns it is required.
However, I'd admit I would have overlooked that scalabilty solution
you brought up. Glad you've mentioned how to manage it.
Shawn, what is the purpose of the files and directory settings in
the Sandbox? I suppose this should go into a separate thread.
Also, I'm testing you script now.
Emile
On Thu, Dec 18, 2008 at 3:11 PM, Teddy R. Payne
<[email protected]> wrote:
Emile,
You are correct. If you have authenticated users, you will
eventually have to approach how to programmatically change the
behavior of your PDF files.
Advice that I can give you would be to avoid a scalable pitfall of
assigning users to a particular file. Instead, assign a role to a
file and then assign a role to a user. This way, you are not adding
1000 users to one file. You may add 1000 users to a role, but that
never changes your implementation of the role associated to a file.
Does that make sense?
Teddy R. Payne, ACCFD
Google Talk - [email protected]
On Thu, Dec 18, 2008 at 3:03 PM, shawn gorrell <[email protected]>
wrote:
That isn't the function of sandboxes.
Here is a code sample of my previously described approach. It is
primitive, but solves what you're trying to solve. Whatever
directory your asset files live in should be set to no web access.
CF will be able to get the files, but a web browser could not.
<cfif not IsDefined("Session.Auth.IsLoggedIn")>
<cfinclude template="../login.cfm">
<cfabort>
</cfif>
<cfparam name="url.filename" default="empty.txt">
<cfset thisPath = ExpandPath("*.*")>
<cfset DirectoryPath = GetDirectoryFromPath(thisPath)>
<cfset filepath = DirectoryPath & "files\">
<cfset thefile = filepath & url.filename>
<cfset fileext = ListGetAt(url.filename,2,".")>
<cfswitch expression="#fileext#">
<cfcase value="xls">
<cfset mimetype = "application/msexcel">
</cfcase>
<cfcase value="doc">
<cfset mimetype = "application/msword">
</cfcase>
<cfcase value="pdf">
<cfset mimetype = "application/pdf">
</cfcase>
<cfcase value="ppt">
<cfset mimetype = "application/vnd.ms-powerpoint">
</cfcase>
<cfcase value="pps">
<cfset mimetype = "application/vnd.ms-powerpoint">
</cfcase>
<cfcase value="txt">
<cfset mimetype = "text/plain">
</cfcase>
<cfdefaultcase>
<cfset mimetype = "">
</cfdefaultcase>
</cfswitch>
<cftry>
<cfheader name="Content-disposition" value="inline;
filename=#url.filename#">
<cfcontent file="#thefile#" type="#mimetype#">
<cfcatch>
There was a problem retrieving your file.
</cfcatch>
</cftry>
From: Emile Melbourne <[email protected]>
To: [email protected]
Sent: Thursday, December 18, 2008 2:55:33 PM
Subject: Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's
directory
Thanks guys for all your responces.
Only users who have logged in/authenticated should be should be
authorized to view these secured pdf files and images. In the
future, I imagine specific pdfs will be viewable to specific
authenticated users which I suppose would be the authorization topic
Teddy is getting at. Am I right about this?
I'm going to test putting the files meant to be secure outside of
the site root folder and getting it to work that way.
I've also come accross settings found in the ADOBE COLDFUSION
ADMINISTRATOR meant to let users enable and disable access to
specific files and directories
Security > Resource Security > CHECK "Enable ColdFusion Sandbox
Security"
Do you guys know if this is also a solution to this particular
problem?
Thanks Again
Emile
On Thu, Dec 18, 2008 at 1:43 PM, Teddy R. Payne
<[email protected]> wrote:
Mischa,
Yes, but as you can see from Shawn's comment that Shawn was
approaching the topic from the point of authorization. From the
response by Troy, this leads to authentication.
So, his usage of diction or use of the word is indeed correct, but
not everyone interpreted it that way as it still provided some
confusion regardless.
The solution may very well use both concepts to achieve his desired
result.
A use that I have witnessed has to deal with Shawn's suggestion of
putting the files in a non-webroot accessible directory or network
source. Then a controller mechanism would have to understand how to
"serve once" either through a mechanism of of being an authenticated
user with an authorized role of being able to see a document. Or,
the the site does not have authentication and the mechanism must
have a more introspective ability to discern a user through their
token, IP or whatever. The public approach would suggest a tracking
process to see if a particular requestor has asked for the document
before or not.
This also brings up the question, how do you determine who has the
authorization to request a particular artifact multiple times?
This may be over complicating his initial scope of the application,
but these are questions that I would ask whenever someone would task
me with a File serving application on potentially limited released
documents.
In any event, I was not criticizing Emile. I was asking for more
detail before offering generic advice/guidance.
Teddy R. Payne, ACCFD
Google Talk - [email protected]
On Thu, Dec 18, 2008 at 1:32 PM, Mischa Uppelschoten ext 10 <[email protected]
> wrote:
OP never used the word "authentication". From wikipedia:
"authorization is the concept of allowing access to resources only
to those permitted to use them." Seems to me he used the term
properly.
/m
: Emile,
: From your description, you really need to define what "authorized"
and "not
: authorized" means.
: This will help clarify to the people assisting you as to the
approach they can
: suggest.
: As "authorization" and "authentication" often times are used
interchangeably
: by developers when in fact they represent two distinctly
different topics.
: Teddy R. Payne, ACCFD
: Google Talk - [email protected]
: On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne <[email protected]
>
: wrote:
: Hey Everyone,
:
: I am currently in the process of building my first secured
site. Most pages
: of the site will be behind a login page. I'm using ColdFusion's
: Application.cfc onRequestStart function to check if a user is
logged in or
: not. Thats pretty much boiler plate.
:
: My concern is how to prevent an non authorized user from
accessing or
: hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt
etc).
:
: Whats the best way to ensure a user can't link directly to
these items but
: instead be redirected to login.cfm instead?
:
: Is there a way to lock down an entire directory?
:
: Thank you for all your help
: Emile
:
: -------------------------------------------------------------
: To unsubscribe from this list, manage your profile @
: http://www.acfug.org?fa=login.edituserform
:
: For more info, see http://www.acfug.org/mailinglists
: Archive @ http://www.mail-archive.com/discussion%40acfug.org/
: List hosted by FusionLink <http://www.fusionlink.com>
: -------------------------------------------------------------
: -------------------------------------------------------------
: To unsubscribe from this list, manage your profile @
: http://www.acfug.org?fa=login.edituserform
: For more info, see http://www.acfug.org/mailinglists
: Archive @ http://www.mail-archive.com/discussion%40acfug.org/
: List hosted by FusionLink <http://www.fusionlink.com>
: -------------------------------------------------------------
---------- Original Message ----------
FROM: "Teddy R. Payne" <[email protected]>
TO: <[email protected]>
DATE: Thu, 18 Dec 2008 13:25:15 -0500
SUBJECT: Re: [ACFUG Discuss] Blocking a ColdFusion website's
directory
Emile,
From your description, you really need to define what "authorized"
and "not authorized" means.
This will help clarify to the people assisting you as to the
approach they can suggest.
As "authorization" and "authentication" often times are used
interchangeably by developers when in fact they represent two
distinctly different topics.
Teddy R. Payne, ACCFD
Google Talk - [email protected]
On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne <[email protected]
> wrote:
Hey Everyone,
I am currently in the process of building my first secured site.
Most pages of the site will be behind a login page. I'm using
ColdFusion's Application.cfc onRequestStart function to check if a
user is logged in or not. Thats pretty much boiler plate.
My concern is how to prevent an non authorized user from
accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs,
swfs, .txt etc).
Whats the best way to ensure a user can't link directly to these
items but instead be redirected to login.cfm instead?
Is there a way to lock down an entire directory?
Thank you for all your help
Emile
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?falogin.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
