|
Home > Archive > Microsoft Content Management Server > October 2006 > Secure attachment
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi
A while back a similar posting referred to the problem I am currently
experiencing, regarding security on an attachment.
We have implemented a login page which provides access to certain
postings.
These postings are not visible unless you have successfully logged in
and this process works fine.
Attachments were linked to these postings from a local resource folder
and not from resource gallery.
Up to now the assumption was that these attachments would inherit the
security of the posting and only be accessible to users who have logged
in.
But, if you copy and paste the funny url and send it to someone who has
no access rights, this person can see the page.
The problem escalated as some of these funny url links have made it
into the google search repository somehow and now people who find these
links can browse the secure attachments.
(We are implementing Windows authentication.)
Your answer below states "write an ISAPI filter to prevent this".
Please could you indicate how I can do this?
Is there any other way to ensure unwanted users can't access
attachments using the funny url?
Any help would be much appreciated, thanks in advance!
Previous posting:
Question:
....Now, if I undo all of the above, and redo it with 3.1 using
Attachments from
the Resource Gallery->myportal->secure (which only a non-guest
subscriber
user is supposed to have access to), I still get the same results!!! I
could
download the document without a password!!
Answer:
Hi Patrick,
that is correct.
There is no way to prevent this from CMS or from ASP.NET as this is not
ASP.NET code being executed (as indicated in my previous post).
You would have to write an ISAPI filter to prevent this.
But why should someone do this?
Cheers,
Stefan.
| |
| Stefan [MSFT] 2006-10-23, 1:14 pm |
| Hi,
sorry I'm not sure about which problem this post is talking as it is not
bound to the previous post.
Could you please show me how these "funny URLs" look like?
Thanks,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
"m" <mlking@investec.co.za> wrote in message
news:1161603311.223316.92560@b28g2000cwb.googlegroups.com...
> Hi
>
> A while back a similar posting referred to the problem I am currently
> experiencing, regarding security on an attachment.
> We have implemented a login page which provides access to certain
> postings.
> These postings are not visible unless you have successfully logged in
> and this process works fine.
> Attachments were linked to these postings from a local resource folder
> and not from resource gallery.
> Up to now the assumption was that these attachments would inherit the
> security of the posting and only be accessible to users who have logged
> in.
> But, if you copy and paste the funny url and send it to someone who has
> no access rights, this person can see the page.
> The problem escalated as some of these funny url links have made it
> into the google search repository somehow and now people who find these
> links can browse the secure attachments.
> (We are implementing Windows authentication.)
> Your answer below states "write an ISAPI filter to prevent this".
> Please could you indicate how I can do this?
> Is there any other way to ensure unwanted users can't access
> attachments using the funny url?
>
> Any help would be much appreciated, thanks in advance!
>
> Previous posting:
> Question:
> ...Now, if I undo all of the above, and redo it with 3.1 using
> Attachments from
> the Resource Gallery->myportal->secure (which only a non-guest
> subscriber
> user is supposed to have access to), I still get the same results!!! I
> could
> download the document without a password!!
>
> Answer:
> Hi Patrick,
>
> that is correct.
> There is no way to prevent this from CMS or from ASP.NET as this is not
>
> ASP.NET code being executed (as indicated in my previous post).
> You would have to write an ISAPI filter to prevent this.
>
>
> But why should someone do this?
>
> Cheers,
> Stefan.
>
| |
|
| Hi Stefan
Sorry, I will explain more clearly, these are resource URL's eg:
"http://www.sitename.com/NR/rdonlyres/8486FE54-C5C0-453F-ADD2-6BE2E6EC7D44/5150/document.pdf".
I link documents as attachments to a secure posting (requires login)
and the documents can be viewed even by users who are not logged in.
(It is the same issue as described by the user in my question below)
Kind regards
M
Stefan [MSFT] wrote:[vbcol=seagreen]
> Hi,
>
> sorry I'm not sure about which problem this post is talking as it is not
> bound to the previous post.
> Could you please show me how these "funny URLs" look like?
>
> Thanks,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "m" <mlking@investec.co.za> wrote in message
> news:1161603311.223316.92560@b28g2000cwb.googlegroups.com...
| |
| Stefan [MSFT] 2006-10-24, 7:18 am |
| Hi,
I did a short repro and actually I'm not able to reproduce the problem.
On my system the attachment is only visible to the users that have rights to
the item.
Please open a support case for this.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
"m" <mlking@investec.co.za> wrote in message
news:1161613526.303282.35930@k70g2000cwa.googlegroups.com...
> Hi Stefan
>
> Sorry, I will explain more clearly, these are resource URL's eg:
> "http://www.sitename.com/NR/rdonlyres/8486FE54-C5C0-453F-ADD2-6BE2E6EC7D44/5150/document.pdf".
>
> I link documents as attachments to a secure posting (requires login)
> and the documents can be viewed even by users who are not logged in.
> (It is the same issue as described by the user in my question below)
>
> Kind regards
> M
>
>
> Stefan [MSFT] wrote:
>
| |
|
| Thanks Stefan
It works fine on our intranet, using Windows authentication and AD.
Then the user gets prompted for a login and password.
Our internet however is set up behind the firewall using Windows
authentication (for Authoring purposes) and the live site uses Forms
Authentication, IIS is set to allow Anon Access.
I will contact Microsoft once we've managed to restore a test version
of this function and let you know, in case anyone else has the same
issue.
Thanks for all the help!
Stefan [MSFT] wrote:[vbcol=seagreen]
> Hi,
>
> I did a short repro and actually I'm not able to reproduce the problem.
> On my system the attachment is only visible to the users that have rights to
> the item.
>
> Please open a support case for this.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "m" <mlking@investec.co.za> wrote in message
> news:1161613526.303282.35930@k70g2000cwa.googlegroups.com...
| |
| Stefan [MSFT] 2006-10-24, 1:15 pm |
| Hi M,
I tested with forms authentication.
I don't get access.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
"m" <mlking@investec.co.za> wrote in message
news:1161692886.428102.146450@m7g2000cwm.googlegroups.com...
> Thanks Stefan
>
> It works fine on our intranet, using Windows authentication and AD.
> Then the user gets prompted for a login and password.
>
> Our internet however is set up behind the firewall using Windows
> authentication (for Authoring purposes) and the live site uses Forms
> Authentication, IIS is set to allow Anon Access.
>
> I will contact Microsoft once we've managed to restore a test version
> of this function and let you know, in case anyone else has the same
> issue.
>
> Thanks for all the help!
>
>
>
>
> Stefan [MSFT] wrote:
>
| |
|
| Thanks for the feedback.
I've logged a call with Microsoft, perhaps our configuration is
incorrect.
Stefan [MSFT] wrote:[vbcol=seagreen]
> Hi M,
>
> I tested with forms authentication.
> I don't get access.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "m" <mlking@investec.co.za> wrote in message
> news:1161692886.428102.146450@m7g2000cwm.googlegroups.com...
|
|
|
|
|