Hi, Alex.
Having that Apache is serving the file and that we want only to protect
several files placed on a specifical folder, your suggestion of adding
some token to URLs pointing at that folder, and make Apache to deliver
them, seems to be a good solution.
You have talked about perl and mod_perl. I understand that you can
override htaccess to use a self-made bit of Perl code that process it
and check the token. Is this right?
I know very little about Apache programming. Do you have by chance some
code example of these 5 lines of Perl that would check GET_URL?
Thanks in advance.
Regards.
Alex Bligh escribió:
Daniel,
--On 29 June 2012 10:38:24 +0200 Daniel Merino
<[email protected]> wrote:
I'm not sure to understand at all this approach, but anyway, I think
that
will not be valid for us.
Drupal's restricted access to the video works fine, but in the moment
that some authorized user can see the video, he can see the video's URL
in the page or in the embed code that we publish for every video.
So if that user pastes the URL in the browser, he has direct access to
the video. Drupal doesn't notice this access and is Apache who must
handle it.
And Apache's protection is sent in plain text unless we serve the video
over SSL.
The answer here really is 'well don't do that then'. Quite apart from
anything else, do you really want credentials (even with digest auth)
going
over http at all?
Rather than use http authentication to mediate access to the video, use a
token (that can be in the GET URL, in a cookie, whatever) to prove
that the
user is authorised to serve that video, and get Drupal / whatever to
check
it. Ensure that access via the 'URL' (meaning the URL without the token)
just does not work. If your token is (e.g.) 256 bits, and linked in the
manner I described to a particular user, video, and time period, then
(a) if it is intercepted, the worst that can happen is someone gets
access
to one video for 10 second interval, and (b) no user credentials are
passed
in the plain - you can even hide the username. Guessing 256 bit numbers
is not easy.
(re my previous reply, you might want to hash the video name too in
case that was not obvious)
I'm not familiar with Drupal but I am with Wordpress, and you'd just
write a bit of php to do it. If what you are saying is that Apache is
just
serving a file, 5 lines of perl and mod_perl can check a GET URL in the
manner I suggested.
If you really want to use custom authentication, you can do that
either by
writing your own authentication module (which I've done several times
in C)
or use mod_auth_external or similar. However, be warned: you may find the
storage format used is fundamentally incompatible (at an algorithm level
rather than a code level) with digest authentication. You might find it
easier to switch Drupal to using digest authentication too. I have no
idea
whether that is possible.
--
Daniel Merino Echeverría
[email protected]
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.
--
Nos creíamos que ibamos a cambiar el mundo y casi no podemos cambiar ni
de compañía de móvil. (Forges)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
