[Zope] Preventing files from being viewed by web clients

Dieter Maurer dieter at handshake.de
Tue May 9 13:49:26 EDT 2006


Brian wrote at 2006-5-8 13:19 -0500:
>I have a flash app that accesses .xml files.
>
>The source is viewable and some creative crackers have figured out how to
>meld a url together to get vital information from those .xml's.
>
>I need to prevent the web client from directly accessing them.
>
>Is there a directive (such as Apache's) or mechnisim to keep web clients
>from accessing yet allow my app access these files?

As others reported, there is no easy solution.

However, flash is probably intelligent enough that is could be
able to implement what I call the "trusted application" concept.

A trusted application somehow contains a secret (something like
"application_id" and "application_passwod") it can use to
prove to the server that it has send the request (and not some
other application).

Kerberos is a standard protocol to implement trusted applications
(among others).


If you do not have Kerberos, you can do something similar of your own.
Look at HTTP Digest Authentication to learn how the
application can send its secret in an uncromprimizing way.
On the server side, you make your resources inaccessible
by untrusted access and use a script (probably an "ExternalMethod")
that checks the application credentials and grants access
to your sensible resources only when it can prove the application
is trusted.

-- 
Dieter


More information about the Zope mailing list