By the way, it is not uncommon to work with security tokens. You have little influence to how the FO parser is acquiring the images, but you should be able to pass in request parameters.
What you would need to do here is add a security token (just a random number would do) to some lookup that is shared with a different app server that uses it to verify any access. You provide the FO parser the security token as part of the uri to the other app server that will return the image binary. This way, direct access to the other app server is not possible without a valid security token, nor do you need to go through a lot of fuss to customize your parser, sending binary back and forth through temp or else.. HTH, Geert > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Lee, David > Sent: zondag 18 april 2010 15:07 > To: General Mark Logic Developer Discussion > Subject: RE: [MarkLogic Dev General] RE: Passing > authentication informationin aURL > > Thanks Geert, > I experimented with passing the user/password through the URL > and have only partial success. > In the past (other servers) I've found that user/password in > the URL typically only works for FTP not HTTP, but I gave ML > a try. Mixed results. > > Pure Java requests fail with a 401 (unaruthorized) Robust > program (wget) fails with a 401 then does retry with the U/P > and succeeds. > > Another solution for the PDF Problem I thought of is to > extract the images locally to a temp directory before calling > the tomcat service. > This might actually be more efficient as well as it wouldn't > require multiple authenticated callbacks into ML from the FOP > processor. > Another idea would be to encode all the images as a single > multi-part POST, but I think thats getting complicated ... > > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Geert Josten > Sent: Saturday, April 17, 2010 9:24 AM > To: General Mark Logic Developer Discussion > Subject: RE: [MarkLogic Dev General] RE: Passing > authentication informationin aURL > > Hi David, > > > As I write this though I had an idea. Since the only issue is > > requests coming from the same server, maybe I could make an > App server > > bound to > > 127.0.0.1 instead of 0.0.0.0 ... this would then limit > access to the > > server itself. > > Alternatively I could also take advantage of the firewall > to make sure > > that whatever port was open wasnt open to external uses. > This way I > > could setup a app server just for image fetches and secure > it without > > authentication. > > Since you can reasonably trust the FO processor to not misuse > security information, you might be able to use url scheme's > like http://user:p...@localhost:nnnn/getimage.xqy. It is > legal, though most browsers tend to block such requests, > pretending not to understand them, for the sake of security. > Basic auth over HTTP isn't very secure, but this is even > less. Sticking to localhost though, there is no reason to > fear sniffing of the credentials. > > I am not sure binding the app server to a specific ip works > as you think. If I'm not mistaken it doesn't work as a > filter, but as a bind. > There should be some messages about that on the ML > mailinglist. You might also be able to apply ip-filtering > from within a rewrite script.. > > Kind regards, > Geert > > > > drs. G.P.H. (Geert) Josten > Consultant > > > Daidalos BV > Hoekeindsehof 1-4 > 2665 JZ Bleiswijk > > T +31 (0)10 850 1200 > F +31 (0)10 850 1199 > > mailto:[email protected] > http://www.daidalos.nl/ > > KvK 27164984 > > P Please consider the environment before printing this mail. > De informatie - verzonden in of met dit e-mailbericht - is > afkomstig van Daidalos BV en is uitsluitend bestemd voor de > geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, > verzoeken wij u het te verwijderen. Aan dit bericht kunnen > geen rechten worden ontleend. > > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
