Hi, Alex.Having that Apache is serving the file and that we want only to protect several files placed on a specifical folder, your suggestion of adding some token to URLs pointing at that folder, and make Apache to deliver them, seems to be a good solution.
You have talked about perl and mod_perl. I understand that you can override htaccess to use a self-made bit of Perl code that process it and check the token. Is this right?
I know very little about Apache programming. Do you have by chance some code example of these 5 lines of Perl that would check GET_URL?
Thanks in advance. Regards. Alex Bligh escribió:
Daniel,--On 29 June 2012 10:38:24 +0200 Daniel Merino <daniel.merino@xxxxxxxxxxx> wrote:I'm not sure to understand at all this approach, but anyway, I think thatwill not be valid for us. Drupal's restricted access to the video works fine, but in the moment that some authorized user can see the video, he can see the video's URL in the page or in the embed code that we publish for every video. So if that user pastes the URL in the browser, he has direct access to the video. Drupal doesn't notice this access and is Apache who must handle it. And Apache's protection is sent in plain text unless we serve the video over SSL.The answer here really is 'well don't do that then'. Quite apart fromanything else, do you really want credentials (even with digest auth) goingover http at all? Rather than use http authentication to mediate access to the video, use atoken (that can be in the GET URL, in a cookie, whatever) to prove that the user is authorised to serve that video, and get Drupal / whatever to checkit. Ensure that access via the 'URL' (meaning the URL without the token) just does not work. If your token is (e.g.) 256 bits, and linked in the manner I described to a particular user, video, and time period, then(a) if it is intercepted, the worst that can happen is someone gets access to one video for 10 second interval, and (b) no user credentials are passedin the plain - you can even hide the username. Guessing 256 bit numbers is not easy. (re my previous reply, you might want to hash the video name too in case that was not obvious) I'm not familiar with Drupal but I am with Wordpress, and you'd justwrite a bit of php to do it. If what you are saying is that Apache is justserving a file, 5 lines of perl and mod_perl can check a GET URL in the manner I suggested.If you really want to use custom authentication, you can do that either by writing your own authentication module (which I've done several times in C)or use mod_auth_external or similar. However, be warned: you may find the storage format used is fundamentally incompatible (at an algorithm level rather than a code level) with digest authentication. You might find iteasier to switch Drupal to using digest authentication too. I have no ideawhether that is possible.
-- Daniel Merino Echeverría daniel.merino@xxxxxxxxxxx Gestor de teleformación - Centro Superior de Innovación Educativa. Tfno: 948-168489 - Universidad Pública de Navarra. --Nos creíamos que ibamos a cambiar el mundo y casi no podemos cambiar ni de compañía de móvil. (Forges)
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|