Re: Authenticating pipelines called from a cron job

Wed, 09 May 2007 06:22:18 -0700 

Sanket Pattekar wrote:

Thanks for the reply...

As Ard pointed out I need to have an external pipleine for the cron.

In our environment, we have internet and intranet URLs that are
accessible. I can put a check that would only allow the pipeline to be
executed from intranet, but that is not what I need.

I need to check(in the cron pipeline) that it is being executed by the
CRON JOB and not by any external user request. This is the only way I
can prevent unauthorized access to the cron pipeline.
Why not simply add a request parameter to the request from the CRON JOB, somethink like: 

http://www.your-server.foo/your-pipeline?param=value.
The name 'param' (and possibly its 'value') would be mandatory for a proper execution and your in fact the only one who knows the name (and its value) of 'param'. External users would not know about that param, and you can simply test for the existence of the param (and also the correct value, if needed). If the wrong param (and value) is given, you redirect the request to another pipeline to avoid the cron pipeline being executed. 



Thanks
Sanket


On 5/9/07, Ard Schrijvers <[EMAIL PROTECTED]> wrote:

Hello,
think I kind of know the setup of Sanket: he needs an external pipeline, because a host needs to be matched.
@Sanket: you might add a "non-external-existing" host in your sites.xconf, and use external pipeline. From the outside, nobody will be able to run this one, right. Or, you do have a normal external pipeline, but you add the port number your cocoon instance is running under, and you make sure this request cannot be done from "outside" 

Ard

>
> Hi Sanket,
>
> do I understand you correct. You want your cronjob to execute an
> external pipeline on the same cocoon instance the cron job is
> runing and
> want to prevent external users from accessing the same pipeline
> manually? Why not use an internal pipeline instead? You could
> create an
> internal pipeline and har code authentication in this pipeline
>
>             <map:pipeline internal-only="true">
>                  <map:match pattern="some-cron-pipeline">
>                     <map:act type="auth-login">
>                        <map:parameter name="handler"
> value="authhandler"/>
>                        <map:parameter name="parameter_username"
> value="{request-param:username}"/>
>                        <map:parameter name="parameter_password"
> value="{request-param:password}"/>
>                        <map:parameter name="session-timeout"
> value="540"/>
>                        <map:act type="auth-protect">
>                            <map:parameter name="handler"
> value="authhandler"/>
>                            <map:generate/>
>                            <map:transform/>
>                             <map:serialize/>
>                        </map:act>
>                     </map:act>
>                 </map:match>
>
> Havent tested this thogh ...my CronJobs don't need
> authentication since
> they are internal pipelines and I allways know who I am ;)
>
> Chris
>
> Sanket Pattekar schrieb:
> > Hi,
> >
> > I am using a cron job that fires daily, which call the pipeline as
> > follows
> >
> > <component
> > class="org.apache.cocoon.components.cron.CocoonPipelineCronJob"
> > logger="core"
> > role="org.apache.cocoon.components.cron.CronJob/pipeline-daily">
> >     <pipeline>some-external-pipeline</pipeline>
> >    </component>
> >
> > The above cron job uses an extaernal pipeline, it can also
> be accessed
> > by the external user. I want to prevent the same, and some
> > authentication, so that this pipeline is only executed when called
> > from a cron job and not explicitly.
> >
> > Is there any I can check the same.
> >
> > Sanket
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
Andre H. Juffer              | Phone: +358-8-553 1161
The Biocenter and            | Fax: +358-8-553-1141
    the Dep. of Biochemistry | Email: [EMAIL PROTECTED]
University of Oulu, Finland  | WWW: www.biochem.oulu.fi/Biocomputing/
NordProt                     | WWW: www.nordprot.org

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to