HTTP security issue

, ,
1

Hi,

I don’t know if this is the proper forum, if not, excuse me.

I have in one NT machine Apache Web Server and Tamino 1.2.1.5 DB.

When the application access to Tamino DB it does through the following URL: http://localhost/tamino/database_name/_XQL
I can control access to the tamino virtual directory in Apache so nobody from Internet can access directly to my DB.

The problem is that I also store images (gif and jpg) in the DB so the URL to show them is : http://localhost/tamino/database_name/NXML_IMAGEN/image.jpg
so the previous solution can’t be done.

Any ideas to protect my DB from external access?

Regards,

Kelmo

2

Tamino 1.2.1.5 is very old now, the current version of Tamino is 2.3.1.x. This version of Tamino has a security feature which should solve your problem.

3

Yes, I know it’s an old version, but by the moment is the one I have.
I’m trying to acquire the last version but, by the moment, I don’t have the money.

Thanks for your answer,

kelmo

4

If you protect http://localhost/tamino in your apache web server than it should work for both URLs.
- http://localhost/tamino/database_name/_XQL
- http://localhost/tamino/database_name/NXML_IMAGEN/image.jpg

because they both start with http://localhost/tamino ???

christian campo

5

Christian,

I know this fact and there is the problem I have. I want to allow users to access to my images (http://localhost/tamino/database_name/NXML_IMAGEN/image.jpg) but no to - http://localhost/tamino/database_name/_XQL)
And because both start with http://localhost/tamino, then I have to choose: Give access to averybody to my DB (and images) or no give access to nobody so nobody will have access to the images nor the DB)

Hope this clarifies my problem. Thanks again for your answers,

Kelmo

6

As far as I know you can in Apache disallow
access to http://localhost/tamino and allow
access specifically to http://localhost/tamino/database_name/NXML_IMAGEN
that should solve your problem.
christian campo

7

Thank you Christian,

You were right, even when a virtual path is not defined specifically in Apache, I’m able to set special rights to it.

I have set deny access (except localhost) to the parent directory of the images’ path (/tamino) and allow rights to everybody for the virtual path where images are stored in the DB (/tamino/database/images)

Thanks a lot,

Kelmo

8

The problem refered in the tamino 1.2.1.5 does not look to be solved in version 2.3.1.4. It looks as if the only way to restrict access to nonXml documents is by playing with the apache configuration. Quite painful.
I really hope to be wrong but it looks as if tamino security does not get involved whenever you try to access any information with a plain URL’s.
Trying to explain myself.
Having a xml object:



Stored in the AllUsers collection.
Access to the info in the form
<A HREF=“http://localhost/.../AllUser?_xql=ApplUser[@ino:id=“1”]” TARGET=_blank>http://localhost/.../AllUser?_xql=ApplUser[@ino:id=“1”]
can be protected by the ino:security collection, but read access is ALWAYS GRANTED for calls in the form
http://localhost/.../AllUser/ApplUser/@1
This work’s for nonXml an XML object’s!!!
Ok, this can be solved by apache policies but then i find reasonable to give 25% of tamino fees to apache.
:wink: