Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Issue: Access files without login/authentication |
|
| Author |
|
pachaiyappan
Joined: 14 Jun 2013
Posts: 25
Location: India,chennai
|
 Posted: Tue 18 Nov '14 12:26 Post subject: Issue: Access files without login/authentication |
 |
|
Hi,
In web application we are facing high vulnuerablity issue based on the session validation.
Issue:
We can download the files from the server whenever we are passing the link even without login.
The links are directly hit into the server and download the files any type of files extension such as .txt, .xml, .zip and so on.
Need the solution for this issue:
How will we resolve the issue using validate the session in apache side?
Scenario as below:
When user manually passing the request if user logged they should access the files
When user manually passing the request if user is not login they shouldn't access the files
Here both the scenarios they can access the files but we want to restrict when the request is coming to apache without login.
EX:
https://localhost/testsw/version.txt
When i tried above link i can able to view the file in browser. Even able to download all different fies extension which are having in the under tomcat webapps dir.
Could you please suggest how we can restrict this in apache code or any other files in apache side or is there any way to validate the request is logged one or not?.
more appreciate for this help !!!!
Thanks,
Pachai |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 19 Nov '14 17:39 Post subject: |
|
|
| Can you deliver the files via your web app instead of directly, so no one will have a direct link. |
|
| Back to top |
|
pachaiyappan
Joined: 14 Jun 2013
Posts: 25
Location: India,chennai
|
| Posted: Thu 20 Nov '14 7:31 Post subject: |
|
|
What the are doing, first they are login with credentials after they are doing different activities that time randomly they copied URL's link and tried in different machine without login. They can able to access the file and view the files in read only format. Here problem is we used basic version of struts 1.2. so Apache level we have to restrict mean before apache serving the request we have to validate it is logged request or not ?
Could you please help me how we want to do that?
is there any other possibility to validate in httpd.conf or anything others.
here one more big problem login related and more files are available under the same directory. So we can't do folder restriction also.
Could please provide the best way of simple solution for this issue.
So appreciated for this replies.
Thanks,
Pachai |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Thu 20 Nov '14 11:37 Post subject: |
|
|
| I'm not into Java and less into Structs, but I found this on the web http://www.mooreds.com/wordpress/archives/18 So it must be possible to check the login state in your application. |
|
| Back to top |
|
|
|
|
|
|
