Preventing direct access to web content

I have a intranet-based system running IIS5/6. We have a secure logon
feature whereby certain users can access restricted content. While most of
this is ASP pages, and thus we can control that, some of the content is
served directly as a PDF or plain html (automatically generated from
MSOffice!).

If a user discovers the location of this content, he access it directly
through the browser (bypassing the menus), which rather makes a mockery of
this concept of secure content!

I have seen one or two commercial ISAPI filters that can be used to prevent
this access, but I dont want to spend where I dont have to, especially when
I'm not entirely sure how they work.

Does anybody know of any other means by which I can achieve this? Free
utils/filters perhaps or maybe abother method I am not aware of?

As an aside, I've heard a few mumblings about .htaccess files, but the
information I have found so far involved password protecting directories on
Apache servers... Does anybody know where I can find more about using
..htaccess file. [I think I am going to need them for an IndexServer project
coming up]

Thanks.

Chris

"Brian" <usenet1 (AT) mangymutt (DOT) com.invalid-remove-this-part> wrote

Quote:

CJM wrote:

As an aside, I've heard a few mumblings about .htaccess files, but the
information I have found so far involved password protecting directories
on
Apache servers... Does anybody know where I can find more about using
.htaccess file. [I think I am going to need them for an IndexServer
project
coming up]

Do a Google web search on .htaccess

If you are running Apache and want to protect directories then you will need
to use password creation utility (htpasswd) also you will need to place a
..htaccess file in the root of the directory to be protected. See details at:

http://httpd.apache.org/docs-2.0/how...ttingitworking
(remember if you want to add other users, miss out the "-c" or you will
over-write any existing password files).

On the other hand if all you want to do is to find out more about what you
can use .htaccess files for (other than password protecting directories), or
how to use them...then see:
http://httpd.apache.org/docs-2.0/howto/htaccess.html

What you can / can not use .htaccess files for is determined to some extent
by the modules that are built into your version of Apache at build time.
For a list of modules see:
http://httpd.apache.org/docs-2.0/mod/


--
Keith

Thanks Andy.

In the longer term, an Windows Integrated Logon/Active Directory solution
will be appropriate, but unfortunately for the next 9-12months that wont be
possible (long story)

I see what you mean about using a separate apache server, but I think it is
a bit too complex/fiddly, plus it would be on a windows box, which doesnt
bode well!

I think it's going to be a case of waiting for AD or using a £200 ISAPI
filter.

Cheers

Chris

"Andy Dingley" <dingbat (AT) codesmiths (DOT) com> wrote

Quote:

On Fri, 22 Aug 2003 15:15:14 +0100, "CJM" <cjmwork@m.co.uk> wrote:

Does anybody know of any other means by which I can achieve this?

Set up an Apache server (maybe another port on the same machine, but
ideally on a Unix box) and use .htaccess to control access.

ISAPI filter.

Windows integrated logons. Put the approved people in a group, let the
group's rights control access to the content, let Windows integrate
the lot for you, right across the network and down to the user's
desktop. You need a very long spoon for this, because you're supping
right from Bill Gates' 3rd tit, but it can be made to work. Of
course, if you're not an intranet in an all-Microsoftoft shop, then you're
stuffed and you're back to #1 or #2.