jakarta-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Cockburn" <acockb...@aqualog.co.uk>
Subject Re: ? about protect resources
Date Sat, 13 Jan 2001 11:19:53 GMT
I have solved a similar problem and I did use basic auth.

The trick to avoid the popup authentication is to use a URL of the form :

http://<user>:<password>@www.x.y.com

This gets you straight through to the resource, and will only popup a window
if the username and password are wrong. This means you need to generate a
link on your page somehow with the username and password embedded which is
insecure, but not as bad as no security. You can hide this somewhat by
putting it in a javascript routine so that the password is not visible in
the status bar when the user hovers over the link - this means that someone
has to go actively looking through the page source to find it.

The final piece of the jigsaw is to write a utility that will generate
access files for your webserver (maybe from usernames and passwords in your
database ?)- this is relatively easy if you are using apache, I haven't
tried any other. The only difficulty is encrypting passwords in the password
file, and I found a class to do that for me.

Hope this helps,

Regards,

Andrew

----- Original Message -----
From: <Soch88@aol.com>
To: <general@jakarta.apache.org>
Sent: Friday, January 12, 2001 8:06 PM
Subject: ? about protect resources


> Hi, we have some pdf's on our server- sensitive info. Right now u can
> enter url that hits those pdf's directly and download them. That is not
good
> ofcourse we need security. Need to check if they are currently logged in,
or
> atleast if they have our cookies with a uid and pw on it. Ofcourse there
is
> basic authentication, but we want to avoid that for that ugly pop up login
> screen. So wondering from the webserver level, if there is a way that you
> can protect directory, with the criteria for accessing that directory
being
> a session cookie. Is there a module you can configure, u can tell it what
> cookie to look for (eg. sessionid), maybe even see of that sessionid is
> currently valid. Any other possibilites to do it without basic auth and
> those pop up logins. Thanks, Jake
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>
>


Mime
View raw message