Thanks for the hint Joshua. Forgot to
mention. The session management and authentication is managed by the J2EE
application. The sessions are tracked by cookies and the proxy Apache can
have access to the database.
I will check the mod_auth_cookie module
but I am also interested in the solution with CGI scripts. Could you send
me or direct me to some examples on the internet?
Dimitar
Joshua Slive <jslive@xxxxxxxxx>
04/18/2005 12:51 PM
Please respond to
users@xxxxxxxxxxxxxxxx
To
users@xxxxxxxxxxxxxxxx
cc
Subject
Re: [users@httpd] Using apache
as proxy with another Apache and JBoss
On 4/18/05, DGeorgie@xxxxxxxxx <DGeorgie@xxxxxxxxx>
wrote:
> The only obstacle we have is how to make sure that only authenticated
users
> have access to the multimedia files. Any ideas?
That depends on how you are tracking sessions.
Assuming you are using cookies, the most basic option is to have
apache verify the cookie before sending the file. There are lots
of
ways to do this, including mod_auth_cookie-type modules, cgi scripts,
etc.
If that is not feasible (perhaps because the apache proxy doesn't have
access to the database containing the approved session cookies), then
you would need to design some other method to pass a session back to
apache. An example would be cryptographically signing some random
value and putting it the URL, then having apache check the signature
before sending the file. This would probably require a cgi script.
The easy way out is to simply check the Referer request header, but
this would be totally insecure.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx