Dov Rosenberg wrote:
How would a proxy server affect the equation? One thought was to use a proxy
server to validate the user, and see if that authorization flag can be
passed along to any embedded links within the page. We could then use a
filter to inspect the HTTP header on the request and determine if the user
has been authenticated before allowing the request to go forward.
Thanks in advance
Dov
On 12/13/05 12:13 PM, "Ryan Slack" <[EMAIL PROTECTED]> wrote:
Dov Rosenberg wrote:
Our application has its own security model that controls access to our
information based on our own roles and permissions. We store files related
to our application on the file system where our application is running.
These associated files are served out by a web server. Our goal is to come
up with a scheme where we could apply our security model to control access
to these files via the web server. For example someone associates a PDF
with some meta data. We don¹t want the user to be able to bookmark the
underlying URL and email it to their friends for them to download without
having them authenticated by our service.
We are looking at a couple of different ideas.
1. Create a servlet filter to sit in front of the resources requests and
somehow tie that into our application logic
2. Create a regular proxy type of servlet that can accept requests and
validate them using our security model
3. Figure out a way to secure the filesystem using a Proxy server of some
type.
Any other thoughts or ideas are appreciated. Thanks in advance
Filter and container enforced security is mainly good for pattern based
criteria. Are you looking to give permissions based on a name pattern,
like *.pdf, or somedir/*.pdf? Otherwise you need a database of
permissions and mappings, such as what Jaas/SecurityManager based
applications rely on.
On top of that, you options may be limited by how your security model
works. For example, you /could/ use a seperate servlet ala web.xml, but
if your security model relies on all requests going through one servlet,
you're better off with a filter.
Savy?
--Ryan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
What kind of proxy server do you mean? A proxy servlet? An http proxy
server (like Squid or Apache)?
If you really want to use a proxy server sure, but why not just use a
filter and the session? Do you really expect to get that many 'bad'
requests as to load your web-server beyond it's capacity?
Also, I don't see how this is really Tapestry related, or even Tomcat
for that matter, seen as your "application has its own security model".
Savy?
--Ryan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
