Re: Security using Apache module

[chorn () chorn com]

On 2004/03/18 11:15:16 +0530, stevenr () mastek com wrote:

> I have a web based J2EE application hosted on one box(Box1)  and a
> web-based report-generating server on another box (Box2). Both Box1 and
> Box2 talk to a common DB. A user logs into Box1 and is authenticated and
> the server stores a session id in a cookie. Then a link from the
> application points to Box2 and fetches a dynamically-generated report in
> PDF format by passing  required parameters in the URL to Box2.
>  
> Problem: 
> There is no session-related connection from Box1 and Box2. The reports
> application is a 3rd party tool, the only common point between the two
> boxes being that they talk HTTP using the Apache server ( version 1.3,
> fyi ). So it is possible for a user to craft the URL pointing to Box2
> and circumvent Box1 altogether.

Writing an apache module to prevent this seems like a lot of extra work.
Since Box2 is also running Apache, why not just limit access to Box1?
Depending on how the report software is accessed, you could limit only
access to that.

In .htaccess or <Directory> block:

Order deny,allow
Deny from all
Allow from Box1