--
Ok, this is almost a mod_rewrite question, but not quite. I think that
I have a solution that works, but has some potential problems. I'd like
to see if there are anyone sees a better solution.
I picture an authentication scheme that works like this:
A servlet is configured to be /private
Actual content is stored and servered from /private_auth
When a user request comes in for /private/index.html the servlet
performs authentication. If the request passes, it redirects the request
to /private_auth/getPathInfo().
A mod_rewrite rule is in place that tests the HTTP_FORWARDED value
and/or the HTTP_REFERRED for accesses to /private_auth to see if the
request was redirected here from the applet. If so, it passes through
unchanged. If not, it's rewritten to some error handling page/servlet.
Problem one:
What is the base href used by browsers in this case? /private, or
/private_auth? If it's /private_auth, then relative links will try to
bypass the servlet and fail to get through (I hope).
This could be fixed by having MOD_REWRITE direct requests that fail
it's tests back to /private, but then browsers that don't give out
REFERRED/FORWARDED are potentially stuck in an infinite loop.
Problem two:
Browsers which don't support HTTP_REFERRED and HTTP_FORWARDED are left
out. This is a problem for unusual configurations (Palm Pilot browsers,
etc), or browsers going through a brain dead proxy.
Problem three:
Authentication is based on information supplied by the client
(HTTP_FORWARDED or HTTP_REFERRED), this information could be cooked up
by a hacker to bypass the security. They would have to be knowledgable
and motivated, but it's possible. For most cases, this is not an issue,
but if the hole can be closed, I'd sleep better at night.
jon * wrote:
>
> --
>
> > I appreciate any help anyone can give me, even if it's only a pointer
> > to a more appropriate place for this question...
>
> try it with mod_rewrite
>
> -jon
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> READ THE FAQ!!!! <http://java.apache.org/faq/>
> Archives and Other: <http://java.apache.org/main/mail.html/>
> Problems?: [EMAIL PROTECTED]
--
Don Garrett [EMAIL PROTECTED]
BGB Consulting http://www.bgb-consulting.com/garrett
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
READ THE FAQ!!!! <http://java.apache.org/faq/>
Archives and Other: <http://java.apache.org/main/mail.html/>
Problems?: [EMAIL PROTECTED]
