On 5/8/06, Brian <brian@texnet.com> wrote:
I have a flash app that accesses .xml files.
The source is viewable and some creative crackers have figured out how to meld a url together to get vital information from those .xml's.
I need to prevent the web client from directly accessing them.
Is there a directive (such as Apache's) or mechnisim to keep web clients from accessing yet allow my app access these files?
Somthing like
<FilesMatch \.(?i:gif|jpe?g|xml)$> Order allow,deny Allow from <some file name> Deny from all <some other web trick> </FilesMatch>
in zope.conf or ???
Zopes security is based on being authenticated, so no. What you can do it let the Flash app login as a special user, and make the files only accessible to that user. To prevent people from sneaking the password from the IP-traffic, you also need to use SSL from the Flash app. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/