How to control access to resourses (pictures and files) inside application?
cass...@gmail.com
that should be accessed only by authorized people. Where should I put
this files inside the directory tree to avoid users typing the direct
path to the file and getting it without being logged to the
application?
Thank you!
JimCifarelli
Check out my reply to another question:
http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/166febb118641065/687b918da8146023
The idea is that you put you files outside of the public area (so no
one can type the URL), then you program a header rewrite so that your
web server (Apache, Nginx, .etc) serves the file after you've
authorized that request. Since it's a rewrite, the real name of a
file can be "X23456.jpg" but served as "cassiommc_requested_image.jpg"
Avoid sendfile if your using Mongrel to serve your Rails appplication,
and plow through the above header programming above.
Good luck,
Jim
Bbq Plate
hi,
ive been researching this and i found the x send file and
x-accel-redirect for nginx. they can be used for downloads, however, can
these be used to render images to a view?
thanks for any help!
--
Posted via http://www.ruby-forum.com/.
cass...@gmail.com
but, can this work to serve the images to the view? thatś what I'll
really nedd, I think I didn't expressed myself well..
thank you!
> Check out my reply to another question:http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/...
Bbq Plate
i can render the view using send_data but its really slow and not
recommended. if youfind the answer, please post back here!
cass...@gmail.com wrote:
> Thanks for your reply!
>
> but, can this work to serve the images to the view? that� what I'll
> really nedd, I think I didn't expressed myself well..
>
> thank you!
--
Posted via http://www.ruby-forum.com/.
Jens Wille
> The idea is that you put you files outside of the public area (so
> no one can type the URL), then you program a header rewrite so
> that your web server (Apache, Nginx, .etc) serves the file after
> you've authorized that request.
(soon): let the web server (apache) serve the content as usual and
protect it from unauthorized access with the Apache Secure Download
module [1]. it works by only allowing requests that have the correct
token, which is computed from the resources' path, a timestamp, and
a *secret* string that is shared between the web server and the
application providing access to the resources.
so instead of putting /path/to/image.jpg into the view, you have
/path/to/image.jpg?timestamp=<timestamp>&token=<token>, where
timestamp = 1.minute.from_now (e.g.), and token =
Digest::SHA1.hexdigest(secret + '/path/to/image.jpg' + timestamp).
thus only someone who knows your secret string gets access to that
image.
Apache Secure Download was inspired by Mongrel Secure Download [2],
a mongrel handler by josh ferguson.
[1] <http://prometheus.rubyforge.org/apache_secure_download/>
[2] <http://rubyforge.org/projects/msecuredownload/>
[3] <http://prometheus.rubyforge.org/mongrel_secure_download-redux/>
cheers
jens
--
Jens Wille, Dipl.-Bibl. (FH)
prometheus - Das verteilte digitale Bildarchiv für Forschung & Lehre
Kunsthistorisches Institut der Universität zu Köln
Albertus-Magnus-Platz, D-50923 Köln
Tel.: +49 (0)221 470-6668, E-Mail: jens....@uni-koeln.de
http://www.prometheus-bildarchiv.de/
Koloa Poipu
hello Jens, Thank you for the reply, however, im still a bit confused.
the web server, say apache will be the one responsible for serving
images. so after i authenticate a user and check if the user has
permission to view a certain view, the view action will be called with a
url that contains timestamp, secret string, etc..which apache will
compute to see whether or not to serve the images?
What is the purpose of the timestamp?
thanks
> prometheus - Das verteilte digitale Bildarchiv f?schung & Lehre
> Kunsthistorisches Institut der Universit䴠zu
> K?lbertus-Magnus-Platz, D-50923
> K?el.: +49 (0)221 470-6668, E-Mail: jens....@uni-koeln.de
> http://www.prometheus-bildarchiv.de/
--
Posted via http://www.ruby-forum.com/.
Jens Wille
Koloa Poipu [2008-02-27 18:20]:
> the web server, say apache will be the one responsible for
> serving images. so after i authenticate a user and check if the
> user has permission to view a certain view, the view action will
> be called with a url that contains timestamp, secret string,
> etc..which apache will compute to see whether or not to serve the
> images?
exactly. your application generates a URL to your resource which
apache will check for validity. only then will apache serve that
resource to the user. hence, your application controls whether to
allow the user access to the resource or not.
> What is the purpose of the timestamp?
the timestamp makes the URL only valid for a certain time. if the
user saves the previously received URL to get access to the resource
again at a later time, the timestamp prevents a successful "stealing".
i suggest you just try Apache Secure Download [1] and see if it
suits your needs ;-) if i can help you make it work, just let me know.
(it's available as a gem from rubyforge -- sudo gem install
apache_secure_download)
[1] <http://prometheus.rubyforge.org/apache_secure_download/>
cheers
jens
--
Jens Wille, Dipl.-Bibl. (FH)
prometheus - Das verteilte digitale Bildarchiv für Forschung & Lehre
Kunsthistorisches Institut der Universität zu Köln
Albertus-Magnus-Platz, D-50923 Köln
Tel.: +49 (0)221 470-6668, E-Mail: jens....@uni-koeln.de
http://www.prometheus-bildarchiv.de/