Hi David, > As I write this though I had an idea. Since the only issue > is requests coming from the same server, maybe I could make > an App server bound to > 127.0.0.1 instead of 0.0.0.0 ... this would then limit access > to the server itself. > Alternatively I could also take advantage of the firewall to make sure > that whatever port was open wasnt open to external uses. This way I > could setup a app server just for image fetches and secure it > without authentication.
Since you can reasonably trust the FO processor to not misuse security information, you might be able to use url scheme's like http://user:p...@localhost:nnnn/getimage.xqy. It is legal, though most browsers tend to block such requests, pretending not to understand them, for the sake of security. Basic auth over HTTP isn't very secure, but this is even less. Sticking to localhost though, there is no reason to fear sniffing of the credentials. I am not sure binding the app server to a specific ip works as you think. If I'm not mistaken it doesn't work as a filter, but as a bind. There should be some messages about that on the ML mailinglist. You might also be able to apply ip-filtering from within a rewrite script.. Kind regards, Geert drs. G.P.H. (Geert) Josten Consultant Daidalos BV Hoekeindsehof 1-4 2665 JZ Bleiswijk T +31 (0)10 850 1200 F +31 (0)10 850 1199 mailto:[email protected] http://www.daidalos.nl/ KvK 27164984 P Please consider the environment before printing this mail. De informatie - verzonden in of met dit e-mailbericht - is afkomstig van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
