Prevent Direct access to a URL


#1

Hi all -

I was given a project to research if it’s possible to prevent users from
accessing a path directly using NGINX?

Here’s are layout: IIS & JBoss

We have an IIS server presenting clients with their login page. After
the client logs in it does a lookup within the database to verify the
clients credentials. Once the client has been verified, the user is
redirected to the appropriate application server - JBOSS application
server.

The client is then able to do whatever their licenses allows.

So within IIS and the JBoss application server, we’re able to control
access to a certain degree, however there are some pages served by JBoss
that can be accessed directly if you know the path.

Example:

            IIS:  htt://logingpage  = secure

      JBoss:  http://successful_login/jboss.ear = secure

      JBoss:  http://regular_html_pages/ourstuff.html = can be

accessed directly.

We already know that if we write code within our application we can
control that behavior, but we’re reluctant to make any changes to
application at this time.

So to conclude

Once the user has successfully logged into the IIS server and is handed
off to JBoss, the user does received a JSESSIONID. Is there any way to
tell NGINX that unless there is an associated JSESSIONID you will not be
allowed to access the page directly? Or any other suggestion you may
have to offer?

Thanks for any and all help!

-Shamunda

***** Email confidentiality notice *****

25/1/2009

This message is private and confidential. If you have recieved this
message in error, please notify us and remove it from your system.


#2

On Sunday 25 January 2009 15:45:45 Shamunda wrote:

I was given a project to research if it’s possible to prevent users from
accessing a path directly using NGINX?

I think, these two URLs is what you’re looking for. Nginx supports
internal
URLs and can handle them smoothly. You will just need to change HTTP
Header
with your app.

http://wiki.codemongers.com/NginxXSendfile

http://blog.kovyrin.net/2006/11/01/nginx-x-accel-redirect-php-rails/


#3

Thanks Eren i’ll give it a shot :slight_smile:


From: removed_email_address@domain.invalid on behalf of Eren Türkay
Sent: Sun 1/25/2009 1:05 PM
To: removed_email_address@domain.invalid
Subject: Re: Prevent Direct access to a URL

On Sunday 25 January 2009 15:45:45 Shamunda wrote:

I was given a project to research if it’s possible to prevent users from
accessing a path directly using NGINX?

I think, these two URLs is what you’re looking for. Nginx supports
internal URLs and can handle them smoothly. You will just need to change
HTTP Header with your app.

http://wiki.codemongers.com/NginxXSendfile

http://blog.kovyrin.net/2006/11/01/nginx-x-accel-redirect-php-rails/

***** Email confidentiality notice *****

26/1/2009

This message is private and confidential. If you have recieved this
message in error, please notify us and remove it from your system.