New post
Question
· Dec 30, 2022

How to hide folder content from CSP applications

#InterSystems IRIS

Hi

Just looking to tighten up a new application

 

As an example, the application may have a path such as;

     Omniata.au/csp/SomeApp/ListIndex.csp

on a Windows server in the path of ;

     C:\InterSystems\IRIS\CSP\SomeApp

and display images from a path such as;

     C:\InterSystems\IRIS\CSP\SomeApp\images\Pic1.jpg

 

If a user wishes to browse through the website, they could point their browser at the path ;

     Omniata.au/csp/SomeApp/images

and guesses some file names, they could view the images

If I do something similar on commercial web sites, I get an error that I'm not authorised to view, I get ...

 

Forbidden

You don't have permission to access this resource.

 

How do I set up the application folder and it's sub-folders to be inaccessible to casual browsing, and only allow the application to access them?

My guess it's to do with the User access, but I'm not sure what 'user' my application is and what 'user' a casual browser is to set the permissions

 

Thanks

in advance

Rosti

Product version: IRIS 2022.1
$ZV: IRIS for Windows (x86-64) 2022.1 (Build 209U) Tue May 31 2022 12:16:40 EDT
Discussion (3)1
Log in or sign up to continue
Eduard Lebedyuk · Jan 2, 2023

How do I set up the application folder and it's sub-folders to be inaccessible to casual browsing, and only allow the application to access them?

Depending on your goal, there are different approaches available. Do you want user to see images only after logging into the application (so a general control on resources) or do you want individual access (only some users can see a specified image)?

If it's a first one, go to the web application configuration page and set Serve Files to Use InterSystems Security. In that case if the user has permissions to view a csp/cls page in this application then allow them to view a static file, if they do not have permissions to view a csp/cls page then return a 404 page not found page.

For a second case, use REST Broker to serve files and implement arbitrary checks in the broker.

0 0
Rosti Zacharias · Jan 2, 2023

Thanks for your input Eduard

It's the first scenario .. I would only like to provide access to just my application

Should an inquisitive user BY-PASS the application by simply pointing their browser to a URL with the path containing my images, (such as OmniData.au/csp/SomeApp/images/Image1.jpg) I would like them to get an error

As this completely by-passes IRIS, it seems to me that it is the OS that needs to block the display of the web server's folder contents, unless it's the IRIS application having a look

I would imagine going to the Security Properties of the folders and DENY access to all but an IRIS application (and the Server Admin). My question is how does the OS (Ms Windows 2019 Server) identify an IRIS application and allow access?

Thanks

Rosti

0 0
Eduard Lebedyuk · Jan 3, 2023

If you have a web application /csp/SomeApp and users need to login to access this application, it is enough to go to a /csp/SomeApp web application configuration page and set Serve Files to Use InterSystems Security to get the effect you want. After making this change, users would not be able to access /csp/SomeApp/image.png without logging into your application first.

0 0