|
Mike Looijmans
nlv11281 at natlab.research.philips.com
Mon Jun 12 02:51:57 EDT 2006
Implementing an authentication handler is not so hard. You could also use a random(ish) cookie for authentication (only supply the file when the user has a cookie from an earlier request). Another option is to embed that cookie in the file path, e.g. you make links like: http://myserver.my.domain/myplace/SGTY134S45SFT/document.pdf A python handler verifies the weird 'SGTY134S45SFT' part of the request and uses the sendfile function if that checks out ok. Tip: Make sure that the generation creates the same code the next time the same user requests the same file (e.g. MD5 of soem secret, filename, IP address and user name). This makes it possible for him to still cache the result. On intranet networks, using something like SPNEGO for authentication is very user friendly as your users need only login to a Windows or Linux machine once, and need not type passwords or anything to authenticate (when using IE or Firefox). The administrative part is a pain to setup, but fortunately, that is a task system management must do and not the web master... It makes authentication as simple as just reading the req.user string value. -- Mike Looijmans Philips Natlab / Topic Automation Rui Miguel Justino wrote: > Hello, > Thanks for the quick replies.I have been on this subject for the last > couple of days, and did not find a good answer to this. My project will > be in top of a python platform so is good to hear the opinion of people > who also understand the basics(apache). > > I'm looking for some type of solution that is secure and easy to > implement and don't bring a bigger cost to the rest of the application. > I will look with more attention to the directions you both have pointed > out, I will definitively have to use authentication and then i can > probably control the access to files with Referer Header. I will study > the viability of it. > > > > On 6/9/06, *Deron Meranda* <deron.meranda at gmail.com > <mailto:deron.meranda at gmail.com>> wrote: > > On 6/9/06, Rui Miguel Justino <rmcjustino at gmail.com > <mailto:rmcjustino at gmail.com>> wrote: > > Is it possible to differentiate between a request to a file of type > > (pdf,png, etc) made by a psp page and a direct request made by a > user who is > > trying to access directly to this files? > > > > Sorry if it is confuse. The purpose here is to only give access > to files > > for users who have authenticate to the application, but Even > those users > > will only have access to files that show up in the > application(webpage). And > > if those users are trying to guess file names they ill not have > access to > > the files. > > As Nicolas said, usually the Referer header is used as a simple check. > That can even be done using just Apache directives with no mod_python > work if you want. > > However, if you're willing to put in more work and you don't want > to actually use authentication, you can make use of dynamically > generated hard-to-guess URLs for your images. > > Essentially when you output the HTML page which contains the > <img> link (or other linking element) you generate URLs with > lots of random characters. Then either record those URLs in > a database of sorts, or perhaps encrypt or sign them (the standard > Python 'hmac' module may be useful). And finally have a mod_python > handler accept all those URLs and serve the file contents only if > the URL verification works. Eventually you remove the valid > URLs from your database (or they expire if you recorded a > date in them before HMAC signing). > > There's lots of details I left out, but it should give you the idea. > -- > Deron Meranda > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python
|