Brian wrote at 2006-5-8 13:19 -0500: >I have a flash app that accesses .xml files. > >The source is viewable and some creative crackers have figured out how to >meld a url together to get vital information from those .xml's. > >I need to prevent the web client from directly accessing them. > >Is there a directive (such as Apache's) or mechnisim to keep web clients >from accessing yet allow my app access these files?
As others reported, there is no easy solution. However, flash is probably intelligent enough that is could be able to implement what I call the "trusted application" concept. A trusted application somehow contains a secret (something like "application_id" and "application_passwod") it can use to prove to the server that it has send the request (and not some other application). Kerberos is a standard protocol to implement trusted applications (among others). If you do not have Kerberos, you can do something similar of your own. Look at HTTP Digest Authentication to learn how the application can send its secret in an uncromprimizing way. On the server side, you make your resources inaccessible by untrusted access and use a script (probably an "ExternalMethod") that checks the application credentials and grants access to your sensible resources only when it can prove the application is trusted. -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )