HTTP security issue

Kelmo · August 21, 2001, 10:15pm

Hi,

I don’t know if this is the proper forum, if not, excuse me.

I have in one NT machine Apache Web Server and Tamino 1.2.1.5 DB.

When the application access to Tamino DB it does through the following URL: http://localhost/tamino/database_name/_XQL …
I can control access to the tamino virtual directory in Apache so nobody from Internet can access directly to my DB.

The problem is that I also store images (gif and jpg) in the DB so the URL to show them is : http://localhost/tamino/database_name/NXML_IMAGEN/image.jpg
so the previous solution can’t be done.

Any ideas to protect my DB from external access?

Regards,

Kelmo

Stuart_Fyffe-Collins · August 22, 2001, 2:56pm

Tamino 1.2.1.5 is very old now, the current version of Tamino is 2.3.1.x. This version of Tamino has a security feature which should solve your problem.

Kelmo · August 24, 2001, 11:08pm

Yes, I know it’s an old version, but by the moment is the one I have.
I’m trying to acquire the last version but, by the moment, I don’t have the money.

Thanks for your answer,

kelmo

Christian_Campo1 · August 27, 2001, 3:04pm

If you protect http://localhost/tamino in your apache web server than it should work for both URLs.
- http://localhost/tamino/database_name/_XQL
- http://localhost/tamino/database_name/NXML_IMAGEN/image.jpg

because they both start with http://localhost/tamino ???

christian campo

Kelmo · August 27, 2001, 3:58pm

Christian,

I know this fact and there is the problem I have. I want to allow users to access to my images (http://localhost/tamino/database_name/NXML_IMAGEN/image.jpg) but no to - http://localhost/tamino/database_name/_XQL)
And because both start with http://localhost/tamino, then I have to choose: Give access to averybody to my DB (and images) or no give access to nobody so nobody will have access to the images nor the DB)

Hope this clarifies my problem. Thanks again for your answers,

Kelmo

Christian_Campo1 · August 30, 2001, 3:05pm

As far as I know you can in Apache disallow
access to http://localhost/tamino and allow
access specifically to http://localhost/tamino/database_name/NXML_IMAGEN…
that should solve your problem.
christian campo

Kelmo · August 30, 2001, 6:25pm

Thank you Christian,

You were right, even when a virtual path is not defined specifically in Apache, I’m able to set special rights to it.

I have set deny access (except localhost) to the parent directory of the images’ path (/tamino) and allow rights to everybody for the virtual path where images are stored in the DB (/tamino/database/images)

Thanks a lot,

Kelmo

Gorka · October 4, 2001, 11:12pm

The problem refered in the tamino 1.2.1.5 does not look to be solved in version 2.3.1.4. It looks as if the only way to restrict access to nonXml documents is by playing with the apache configuration. Quite painful.
I really hope to be wrong but it looks as if tamino security does not get involved whenever you try to access any information with a plain URL’s.
Trying to explain myself.
Having a xml object:

Stored in the AllUsers collection.
Access to the info in the form
<A HREF=“http://localhost/.../AllUser?_xql=ApplUser[@ino:id=“1”]” TARGET=_blank>http://localhost/.../AllUser?_xql=ApplUser[@ino:id=“1”]
can be protected by the ino:security collection, but read access is ALWAYS GRANTED for calls in the form
http://localhost/.../AllUser/ApplUser/@1
This work’s for nonXml an XML object’s!!!
Ok, this can be solved by apache policies but then i find reasonable to give 25% of tamino fees to apache.