Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory
Mischa, Yes, but as you can see from Shawn's comment that Shawn was approaching the topic from the point of authorization. From the response by Troy, this leads to authentication. So, his usage of diction or use of the word is indeed correct, but not everyone interpreted it that way as it still provided some confusion regardless. The solution may very well use both concepts to achieve his desired result. A use that I have witnessed has to deal with Shawn's suggestion of putting the files in a non-webroot accessible directory or network source. Then a controller mechanism would have to understand how to serve once either through a mechanism of of being an authenticated user with an authorized role of being able to see a document. Or, the the site does not have authentication and the mechanism must have a more introspective ability to discern a user through their token, IP or whatever. The public approach would suggest a tracking process to see if a particular requestor has asked for the document before or not. This also brings up the question, how do you determine who has the authorization to request a particular artifact multiple times? This may be over complicating his initial scope of the application, but these are questions that I would ask whenever someone would task me with a File serving application on potentially limited released documents. In any event, I was not criticizing Emile. I was asking for more detail before offering generic advice/guidance. Teddy R. Payne, ACCFD Google Talk - teddyrpa...@gmail.com On Thu, Dec 18, 2008 at 1:32 PM, Mischa Uppelschoten ext 10 mischa.uppelscho...@bankersx.com wrote: OP never used the word authentication. From wikipedia: authorization is the concept of allowing access to resources only to those permitted to use them. Seems to me he used the term properly. /m : Emile, : From your description, you really need to define what authorized and not : authorized means. : This will help clarify to the people assisting you as to the approach they can : suggest. : As authorization and authentication often times are used interchangeably : by developers when in fact they represent two distinctly different topics. : Teddy R. Payne, ACCFD : Google Talk - teddyrpa...@gmail.com : On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne emile.melbou...@gmail.com : wrote: : Hey Everyone, : : I am currently in the process of building my first secured site. Most pages : of the site will be behind a login page. I'm using ColdFusion's : Application.cfc onRequestStart function to check if a user is logged in or : not. Thats pretty much boiler plate. : : My concern is how to prevent an non authorized user from accessing or : hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). : : Whats the best way to ensure a user can't link directly to these items but : instead be redirected to login.cfm instead? : : Is there a way to lock down an entire directory? : : Thank you for all your help : Emile : : - : To unsubscribe from this list, manage your profile @ : http://www.acfug.org?fa=login.edituserform : : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink http://www.fusionlink.com : - : - : To unsubscribe from this list, manage your profile @ : http://www.acfug.org?fa=login.edituserform : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink http://www.fusionlink.com : - -- Original Message -- FROM: Teddy R. Payne teddyrpa...@gmail.com TO:discussion@acfug.org DATE: Thu, 18 Dec 2008 13:25:15 -0500 SUBJECT: Re: [ACFUG Discuss] Blocking a ColdFusion website's directory Emile, From your description, you really need to define what authorized and not authorized means. This will help clarify to the people assisting you as to the approach they can suggest. As authorization and authentication often times are used interchangeably by developers when in fact they represent two distinctly different topics. Teddy R. Payne, ACCFD Google Talk - teddyrpa...@gmail.com On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne emile.melbou...@gmail.com wrote: Hey Everyone, I am currently in the process of building my first secured site. Most pages of the site will be behind a login page. I'm using ColdFusion's Application.cfc onRequestStart function to check if a user is logged in or not. Thats pretty much boiler plate. My concern is how to
Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory
That isn't the function of sandboxes. Here is a code sample of my previously described approach. It is primitive, but solves what you're trying to solve. Whatever directory your asset files live in should be set to no web access. CF will be able to get the files, but a web browser could not. cfif not IsDefined(Session.Auth.IsLoggedIn) cfinclude template=../login.cfm cfabort /cfif cfparam name=url.filename default=empty.txt cfset thisPath = ExpandPath(*.*) cfset DirectoryPath = GetDirectoryFromPath(thisPath) cfset filepath = DirectoryPath files\ cfset thefile = filepath url.filename cfset fileext = ListGetAt(url.filename,2,.) cfswitch expression=#fileext# cfcase value=xls cfset mimetype = application/msexcel /cfcase cfcase value=doc cfset mimetype = application/msword /cfcase cfcase value=pdf cfset mimetype = application/pdf /cfcase cfcase value=ppt cfset mimetype = application/vnd.ms-powerpoint /cfcase cfcase value=pps cfset mimetype = application/vnd.ms-powerpoint /cfcase cfcase value=txt cfset mimetype = text/plain /cfcase cfdefaultcase cfset mimetype = /cfdefaultcase /cfswitch cftry cfheader name=Content-disposition value=inline; filename=#url.filename# cfcontent file=#thefile# type=#mimetype# cfcatch There was a problem retrieving your file. /cfcatch /cftry From: Emile Melbourne emile.melbou...@gmail.com To: discussion@acfug.org Sent: Thursday, December 18, 2008 2:55:33 PM Subject: Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory Thanks guys for all your responces. Only users who have logged in/authenticated should be should be authorized to view these secured pdf files and images. In the future, I imagine specific pdfs will be viewable to specific authenticated users which I suppose would be the authorization topic Teddy is getting at. Am I right about this? I'm going to test putting the files meant to be secure outside of the site root folder and getting it to work that way. I've also come accross settings found in the ADOBE COLDFUSION ADMINISTRATOR meant to let users enable and disable access to specific files and directories Security Resource Security CHECK Enable ColdFusion Sandbox Security Do you guys know if this is also a solution to this particular problem? Thanks Again Emile On Thu, Dec 18, 2008 at 1:43 PM, Teddy R. Payne teddyrpa...@gmail.com wrote: Mischa, Yes, but as you can see from Shawn's comment that Shawn was approaching the topic from the point of authorization. From the response by Troy, this leads to authentication. So, his usage of diction or use of the word is indeed correct, but not everyone interpreted it that way as it still provided some confusion regardless. The solution may very well use both concepts to achieve his desired result. A use that I have witnessed has to deal with Shawn's suggestion of putting the files in a non-webroot accessible directory or network source. Then a controller mechanism would have to understand how to serve once either through a mechanism of of being an authenticated user with an authorized role of being able to see a document. Or, the the site does not have authentication and the mechanism must have a more introspective ability to discern a user through their token, IP or whatever. The public approach would suggest a tracking process to see if a particular requestor has asked for the document before or not. This also brings up the question, how do you determine who has the authorization to request a particular artifact multiple times? This may be over complicating his initial scope of the application, but these are questions that I would ask whenever someone would task me with a File serving application on potentially limited released documents. In any event, I was not criticizing Emile. I was asking for more detail before offering generic advice/guidance. Teddy R. Payne, ACCFD Google Talk - teddyrpa...@gmail.com On Thu, Dec 18, 2008 at 1:32 PM, Mischa Uppelschoten ext 10 mischa.uppelscho...@bankersx.com wrote: OP never used the word authentication. From wikipedia: authorization is the concept of allowing access to resources only to those permitted to use them. Seems to me he used the term properly. /m : Emile, : From your description, you really need to define what authorized and not : authorized means. : This will help clarify to the people assisting you as to the approach they can : suggest. : As authorization and authentication often times are used interchangeably : by developers when in fact they represent two distinctly different topics. : Teddy R. Payne, ACCFD : Google Talk - teddyrpa...@gmail.com : On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne emile.melbou...@gmail.com : wrote: : Hey Everyone, : : I am currently in the process
Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory
Hey Teddy, That is by far great advice on how to tackle scalability, it make sense. There maybe situations where this may not be a good tatic such as when a one to one connection between a pdf and the user account that owns it is required. However, I'd admit I would have overlooked that scalabilty solution you brought up. Glad you've mentioned how to manage it. Shawn, what is the purpose of the files and directory settings in the Sandbox? I suppose this should go into a separate thread. Also, I'm testing you script now. Emile On Thu, Dec 18, 2008 at 3:11 PM, Teddy R. Payne teddyrpa...@gmail.comwrote: Emile, You are correct. If you have authenticated users, you will eventually have to approach how to programmatically change the behavior of your PDF files. Advice that I can give you would be to avoid a scalable pitfall of assigning users to a particular file. Instead, assign a role to a file and then assign a role to a user. This way, you are not adding 1000 users to one file. You may add 1000 users to a role, but that never changes your implementation of the role associated to a file. Does that make sense? Teddy R. Payne, ACCFD Google Talk - teddyrpa...@gmail.com On Thu, Dec 18, 2008 at 3:03 PM, shawn gorrell chees...@yahoo.comwrote: That isn't the function of sandboxes. Here is a code sample of my previously described approach. It is primitive, but solves what you're trying to solve. Whatever directory your asset files live in should be set to no web access. CF will be able to get the files, but a web browser could not. cfif not IsDefined(Session.Auth.IsLoggedIn) cfinclude template=../login.cfm cfabort /cfif cfparam name=url.filename default=empty.txt cfset thisPath = ExpandPath(*.*) cfset DirectoryPath = GetDirectoryFromPath(thisPath) cfset filepath = DirectoryPath files\ cfset thefile = filepath url.filename cfset fileext = ListGetAt(url.filename,2,.) cfswitch expression=#fileext# cfcase value=xls cfset mimetype = application/msexcel /cfcase cfcase value=doc cfset mimetype = application/msword /cfcase cfcase value=pdf cfset mimetype = application/pdf /cfcase cfcase value=ppt cfset mimetype = application/vnd.ms-powerpoint /cfcase cfcase value=pps cfset mimetype = application/vnd.ms-powerpoint /cfcase cfcase value=txt cfset mimetype = text/plain /cfcase cfdefaultcase cfset mimetype = /cfdefaultcase /cfswitch cftry cfheader name=Content-disposition value=inline; filename=#url.filename# cfcontent file=#thefile# type=#mimetype# cfcatch There was a problem retrieving your file. /cfcatch /cftry -- *From:* Emile Melbourne emile.melbou...@gmail.com *To:* discussion@acfug.org *Sent:* Thursday, December 18, 2008 2:55:33 PM *Subject:* Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory Thanks guys for all your responces. Only users who have logged in/authenticated should be should be authorized to view these secured pdf files and images. In the future, I imagine specific pdfs will be viewable to specific authenticated users which I suppose would be the authorization topic Teddy is getting at. Am I right about this? I'm going to test putting the files meant to be secure outside of the site root folder and getting it to work that way. I've also come accross settings found in the ADOBE COLDFUSION ADMINISTRATOR meant to let users enable and disable access to specific files and directories Security Resource Security CHECK Enable ColdFusion Sandbox Security Do you guys know if this is also a solution to this particular problem? Thanks Again Emile On Thu, Dec 18, 2008 at 1:43 PM, Teddy R. Payne teddyrpa...@gmail.comwrote: Mischa, Yes, but as you can see from Shawn's comment that Shawn was approaching the topic from the point of authorization. From the response by Troy, this leads to authentication. So, his usage of diction or use of the word is indeed correct, but not everyone interpreted it that way as it still provided some confusion regardless. The solution may very well use both concepts to achieve his desired result. A use that I have witnessed has to deal with Shawn's suggestion of putting the files in a non-webroot accessible directory or network source. Then a controller mechanism would have to understand how to serve once either through a mechanism of of being an authenticated user with an authorized role of being able to see a document. Or, the the site does not have authentication and the mechanism must have a more introspective ability to discern a user through their token, IP or whatever. The public approach would suggest a tracking process to see if a particular requestor has asked for the document before or not. This also brings up the question, how do you determine who has
Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory
Emile, I'll send you my Adobe Max presentation on this very topic (authorization), specifically addressing the different attack patterns and high level solutions appropriate for any language, though the examples are CF-specific. It may take me a day or so until I get back to work and can forward it. If anyone else wishes a copy drop me a line at dean.saxe [at] foundstone.com. Thanks, -dhs Dean H. Saxe, CISSP, CEH d...@fullfrontalnerdity.com What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? --Gandhi On Dec 18, 2008, at 5:24 PM, Emile Melbourne wrote: Hey Teddy, That is by far great advice on how to tackle scalability, it make sense. There maybe situations where this may not be a good tatic such as when a one to one connection between a pdf and the user account that owns it is required. However, I'd admit I would have overlooked that scalabilty solution you brought up. Glad you've mentioned how to manage it. Shawn, what is the purpose of the files and directory settings in the Sandbox? I suppose this should go into a separate thread. Also, I'm testing you script now. Emile On Thu, Dec 18, 2008 at 3:11 PM, Teddy R. Payne teddyrpa...@gmail.com wrote: Emile, You are correct. If you have authenticated users, you will eventually have to approach how to programmatically change the behavior of your PDF files. Advice that I can give you would be to avoid a scalable pitfall of assigning users to a particular file. Instead, assign a role to a file and then assign a role to a user. This way, you are not adding 1000 users to one file. You may add 1000 users to a role, but that never changes your implementation of the role associated to a file. Does that make sense? Teddy R. Payne, ACCFD Google Talk - teddyrpa...@gmail.com On Thu, Dec 18, 2008 at 3:03 PM, shawn gorrell chees...@yahoo.com wrote: That isn't the function of sandboxes. Here is a code sample of my previously described approach. It is primitive, but solves what you're trying to solve. Whatever directory your asset files live in should be set to no web access. CF will be able to get the files, but a web browser could not. cfif not IsDefined(Session.Auth.IsLoggedIn) cfinclude template=../login.cfm cfabort /cfif cfparam name=url.filename default=empty.txt cfset thisPath = ExpandPath(*.*) cfset DirectoryPath = GetDirectoryFromPath(thisPath) cfset filepath = DirectoryPath files\ cfset thefile = filepath url.filename cfset fileext = ListGetAt(url.filename,2,.) cfswitch expression=#fileext# cfcase value=xls cfset mimetype = application/msexcel /cfcase cfcase value=doc cfset mimetype = application/msword /cfcase cfcase value=pdf cfset mimetype = application/pdf /cfcase cfcase value=ppt cfset mimetype = application/vnd.ms-powerpoint /cfcase cfcase value=pps cfset mimetype = application/vnd.ms-powerpoint /cfcase cfcase value=txt cfset mimetype = text/plain /cfcase cfdefaultcase cfset mimetype = /cfdefaultcase /cfswitch cftry cfheader name=Content-disposition value=inline; filename=#url.filename# cfcontent file=#thefile# type=#mimetype# cfcatch There was a problem retrieving your file. /cfcatch /cftry From: Emile Melbourne emile.melbou...@gmail.com To: discussion@acfug.org Sent: Thursday, December 18, 2008 2:55:33 PM Subject: Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory Thanks guys for all your responces. Only users who have logged in/authenticated should be should be authorized to view these secured pdf files and images. In the future, I imagine specific pdfs will be viewable to specific authenticated users which I suppose would be the authorization topic Teddy is getting at. Am I right about this? I'm going to test putting the files meant to be secure outside of the site root folder and getting it to work that way. I've also come accross settings found in the ADOBE COLDFUSION ADMINISTRATOR meant to let users enable and disable access to specific files and directories Security Resource Security CHECK Enable ColdFusion Sandbox Security Do you guys know if this is also a solution to this particular problem? Thanks Again Emile On Thu, Dec 18, 2008 at 1:43 PM, Teddy R. Payne teddyrpa...@gmail.com wrote: Mischa, Yes, but as you can see from Shawn's comment that Shawn was approaching the topic from the point of authorization. From the response by Troy, this leads to authentication. So, his usage of diction or use of the word is indeed correct, but not everyone interpreted it that way as it still provided some confusion regardless. The solution may very well use both concepts to achieve his desired result. A use
RE: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory
Emile, the sandbox features are for protecting what files/dirs a CFML app can access. It's intended to be used on a server where different developers of different apps (on the same box) should not be able to access each other's files, or files outside their purview. BTW, it's called Sandbox Security in Enterprise, but it's called Resource Security on CF Standard. I've done a pair of articles on the topic in the Adobe DevCenter (from the CFMX timeframe, but it's still applicable): http://www.adobe.com/devnet/security/articles/sandbox_01.html http://www.adobe.com/devnet/security/articles/sandbox_02.html Hope that helps. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Emile Melbourne Sent: Thursday, December 18, 2008 5:24 PM To: discussion@acfug.org Subject: Re: re[2]: [ACFUG Discuss] Blocking a ColdFusion website's directory snip Shawn, what is the purpose of the files and directory settings in the Sandbox? I suppose this should go into a separate thread. Emile - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
