Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: Preventing cross-application access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preventing cross-application access

Subject: Re: Preventing cross-application access
From: Johann Werner <email@hidden>
Date: Fri, 07 Dec 2012 15:24:44 +0100

Hi Maik,

you should generally deny the access to /cgi-bin/WebObjects or whatever your WebObjectsAlias setting is set to:

<Location /cgi-bin/WebObjects>
  Order Deny,Allow
  Deny from all
</Location>

Then in your specific site config you allow the specific app. E.g. for aaa.com:

<Location /cgi-bin/WebObjects/AAA.woa>
  Allow from all
</Location>

So now you can only access AAA.woa on aaa.com and no other apps.

jw


Am 07.12.2012 um 15:04 schrieb Maik Musall <email@hidden>:

> Hi List,
>
> I don't know if everybody is aware of that, but in a setup with two WO applications A and B, reachable through domains aaa.com and bbb.com, but sharing one Apache Adaptor in front of them, you can generally reach application B through aaa.com if you append the .woa path of application B to it.
>
> What measures do you have in place to prevent that, if any?
>
> Maik



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References:
	>Preventing cross-application access (From: Maik Musall <email@hidden>)

Prev by Date: Re: Appending hash for page anchor to next url
Next by Date: Re: Appending hash for page anchor to next url
Previous by thread: Preventing cross-application access
Next by thread: pageConfiguration and swapping menus?
Index(es):
- Date
- Thread