Thanks Geert, I experimented with passing the user/password through the URL and have only partial success. In the past (other servers) I've found that user/password in the URL typically only works for FTP not HTTP, but I gave ML a try. Mixed results.
Pure Java requests fail with a 401 (unaruthorized) Robust program (wget) fails with a 401 then does retry with the U/P and succeeds. Another solution for the PDF Problem I thought of is to extract the images locally to a temp directory before calling the tomcat service. This might actually be more efficient as well as it wouldn't require multiple authenticated callbacks into ML from the FOP processor. Another idea would be to encode all the images as a single multi-part POST, but I think thats getting complicated ... -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Geert Josten Sent: Saturday, April 17, 2010 9:24 AM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] RE: Passing authentication informationin aURL Hi David, > As I write this though I had an idea. Since the only issue > is requests coming from the same server, maybe I could make > an App server bound to > 127.0.0.1 instead of 0.0.0.0 ... this would then limit access > to the server itself. > Alternatively I could also take advantage of the firewall to make sure > that whatever port was open wasnt open to external uses. This way I > could setup a app server just for image fetches and secure it > without authentication. Since you can reasonably trust the FO processor to not misuse security information, you might be able to use url scheme's like http://user:p...@localhost:nnnn/getimage.xqy. It is legal, though most browsers tend to block such requests, pretending not to understand them, for the sake of security. Basic auth over HTTP isn't very secure, but this is even less. Sticking to localhost though, there is no reason to fear sniffing of the credentials. I am not sure binding the app server to a specific ip works as you think. If I'm not mistaken it doesn't work as a filter, but as a bind. There should be some messages about that on the ML mailinglist. You might also be able to apply ip-filtering from within a rewrite script.. Kind regards, Geert drs. G.P.H. (Geert) Josten Consultant Daidalos BV Hoekeindsehof 1-4 2665 JZ Bleiswijk T +31 (0)10 850 1200 F +31 (0)10 850 1199 mailto:[email protected] http://www.daidalos.nl/ KvK 27164984 P Please consider the environment before printing this mail. De informatie - verzonden in of met dit e-mailbericht - is afkomstig van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
