Security implemention question
Hi all. I am working on an application for which there are two levels of user. User level 1 must upload files to the server, and user level 2 must be able to download any files uploaded by users of level 1. I have already implemented page level security to restrict each level user to the pages for which they are authorised. My problem is that for user level 2 to be able to download these files, they must be placed somewhere within the webroot. I want to prevent user level 1 from downloading these files as they are only intended for downloading by users of level 2. The only idea I had was to store all files outside of the webroot, and when a user of level 2 wants to download these files, they are copied to somewhere in the webroot, with a filename such as "$current-PID_$current-unixtime_$filename". Furthermore, periodically, (every hour for example), delete all files in this folder which are older than an hour. This way, by also preventing directory listing of this folder, the only way a user of level 1 could get these files would be to guess the PID, unix timestamp, and filename, all within an hour (before they are cleaned away again). This I dont think is very likely. Can anyone either point out any major problems with this approach, or alternatively (preferably), suggest a better alternative ? In case it makes any difference to peoples ideas/views, I am not using Apache for access control. Users authenticate against a database, then on each page they visit, their user level (taken from the session object) is checked against the access level required for that page. I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl 5.6.1 Thanks for any advice / feedback Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security implemention question
Hi Richard,
Happy new year to the list, BTW.
[EMAIL PROTECTED] wrote:
Can anyone either point out any major problems with this approach, or
alternatively (preferably), suggest a better alternative ?
In case it makes any difference to peoples ideas/views, I am not using Apache
for access control. Users authenticate against a database, then on each page
they visit, their user level (taken from the session object) is checked
against the access level required for that page.
Since You already have the users level is the Session object, you can
have an asp handle the downloads, like this:
- check if the user has the required level.
- set $Response->{ContentType} to whatever it is you want
- open the (out of the webroot) file and while reading it, output to
the client.
Now with this approach you will avoid the constant back and forth
copying of files and
the remote possibility that a user can guess the filename, but there are
some drawbacks:
- the ``heavy'' apache mod_perl process will be tied up for the duration
of the download, so depending on your setup, the size of the download
and the speed of the clients you might need more httpds running. The
mod_perl guide can help you more on this - rather large - subject
(http://perl.apache.org/docs/1.0/guide/index.html)
I really don't know if the above is a better solution, just a thought.
Regards,
Thanos Chatziathanassiou
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security implemention question
On Friday, Jan 3, 2003, at 04:59 US/Eastern, [EMAIL PROTECTED] wrote: I have already implemented page level security to restrict each level user to the pages for which they are authorised. My problem is that for user level 2 to be able to download these files, they must be placed somewhere within the webroot. I want to prevent user level 1 from downloading these files as they are only intended for downloading by users of level 2. [ ... snip ... ] I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl 5.6.1 Thanks for any advice / feedback If you don't mind using you mod_perl instances to serve files (your site is low traffic and this won't hurt you). Then write a mod_perl PerlAccessHandler to deny people access. Implement all of your login system in a PerlAuthenHandler. Then just have simple login page. There are some good example of this in the mod_perl cookbook. The big advantage of this is that you never really need to "know" how to auth someone to write another web page for your site. It is provided for you by your Authen handler before you page is ever loaded. Also, your Authen handler can do slick things like put an instance of a "User" object in the Apache request notes. and the "new" method for your User object can look there first... This allows you to blindly call: my $user = User->new(); at the top of any ASP page and have full access to that user's object. And you _know_ it will be populated with valid data because they passed through your Authen/Access handlers and it was actually built in there -- of course, it does hurt to check ;-) -- Theo Schlossnagle Principal Consultant OmniTI Computer Consulting, Inc. -- http://www.omniti.com/ Phone: +1 410 872 4910 x201 Fax: +1 410 872 4911 1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache-ASP on Apache2
I am new to Apache and ASP, but was successful in getting Apache2 to run on Windows. I have also been able to run aspx on the same machine using a proxy server, Cassini. I'll attach the link for that. Here is the code I added to my config file that make ASP work with Windows/Apache: SetHandler perl-script PerlHandler Apache::ASP PerlSetVar Global C:/Windows/temp PerlSetVar CookiePath / PerlSetVar AllowSessionState 1 PerlSetVar SessionTimeout 20 #PerlSetVar Debug 2 # have "use strict;" by default, recommended PerlSetVar UseStrict 1 # when errors occur in ASP, print out debug info PerlSetVar Debug 2 PerlSetVar BufferingOn 1 PerlSetVar StatINC 1 PerlSetVar SessionSerialize 0 PerlSetVar SoftRedirect 0 PerlSetVar NoState 1 PerlSetVar StateDir ./.state PerlSetVar StateManager 10 PerlSetVar MaxThreadsPerChild 1 Apache/aspx (asp.net): http://www.codeproject.com/aspnet/cassini_apache_101.asp --- In [EMAIL PROTECTED], Josh Chamas <[EMAIL PROTECTED]> wrote: > CURTIS R. wrote: > > I have been reading the posts on the Apache-ASP mailing > > list, and see you have gotten apache-asp to run with > > mod_perl1.99, and apache2. > > > > I have got everything compiled, but my httpd.conf gets > > broken when I add in the PerlHandler and the rest of the > > options from the apache-asp sites configuration section. > > > > Please post messages for Apache::ASP support to the mailing > list. To get on the mailing list, send a message to > [EMAIL PROTECTED] ... I have cc'd the list > to capture this thread in the archive. > > Apache::ASP should work the same underl mod_perl2/Apache2. > That PerlHandler is broken implies that mod_perl is not > installed correctly. > > > What are the correct strings to add to the httpd.conf ? > > I am convinced all will be fine if I can only get the > > httpd.conf working correctly. > > > > The same as in mod_perl1, for example, I am driving chamas.com > off of: > > >SetHandler perl-script >PerlModule Apache::ASP >PerlHandler Apache::ASP >PerlSetVar NoState 1 >PerlSetVar Global . >PerlSetVar GlobalPackage Chamas::Site::Sun >PerlSetVar UseStrict 1 >PerlSetVar StatScripts 1 >PerlSetVar XMLSubsMatch chamas:\w+ > ># note the Off config will be available in 2.50 not yet released >PerlSetVar XMLSubsPerlArgs Off > > > > Would there be any chance of a small section on the > > apache-asp site detailing the process for apache2 ? > > > > If I find there to be differences, I will do so, but so > far there have been none to my knowledge that affect > an Apache::ASP user once mod_perl is set up correctly. > Note however though Apache::ASP works under mod_perl2 > fine, it may be that mod_perl 1.9x / apache2 combo is yet unstable. > Be sure to use the prefork mpm, and not worker mpm for now. > MPM refers to a compilation option of apache2. > > Regards, > > Josh > > Josh Chamas, Founder phone:925-552-0128 > Chamas Enterprises Inc.http://www.chamas.com > NodeWorks Link Checkinghttp://www.nodeworks.com > > > --- -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
