From haragx at gmail.com Tue Nov 2 08:37:50 2010 From: haragx at gmail.com (Phil Marneweck) Date: Tue, 02 Nov 2010 10:37:50 +0200 Subject: [hunchentoot-devel] Protecting static files Message-ID: <1288687070.1927.26.camel@devi> Hi Is there a way to in hunchentoot to protect static files from unauthorized downloads. When I talk about static files I mean files with static handlers in hunchentoot. Regards Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: From ndj at bitart.cc Tue Nov 2 11:06:26 2010 From: ndj at bitart.cc (Nico de Jager) Date: Tue, 02 Nov 2010 13:06:26 +0200 Subject: [hunchentoot-devel] Protecting static files In-Reply-To: <1288687070.1927.26.camel@devi> (Phil Marneweck's message of "Tue, 02 Nov 2010 10:37:50 +0200") References: <1288687070.1927.26.camel@devi> Message-ID: <87zktsf0i5.fsf@bitart.cc> Phil Marneweck writes: > Is there a way to in hunchentoot to protect static files from > unauthorized downloads. When I talk about static files I mean files > with static handlers in hunchentoot. You can use your own dispatch functions to do authorization. So you can do something like: (defun authorized-dispatcher (dispatch-fn authorized-p) (lambda (request) (when (funcall authorized-p) (funcall dispatch-fn request)))) (defun role (&rest roles) (lambda () (let ((user-roles (session-value :roles))) (dolist (role roles) (when (find role user-roles :test #'eq) (return t)))))) (setf *dispatch-table* (list .... (authorized-dispatcher (create-static-file-dispatcher-and-handler "/foo.txt" "/srv/foo.txt") (role :operator :root)) ....)) Nico From syntard at gmail.com Wed Nov 17 19:01:57 2010 From: syntard at gmail.com (Dmitri Pavlenkov) Date: Wed, 17 Nov 2010 14:01:57 -0500 Subject: [hunchentoot-devel] Windows domain login Message-ID: How can I discover windows domain login of the user accessing web app on intranet? I run clozure cl on windows. Has anybody done this? I don't want to authenticate because users are used to single sign-on and transparent access. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edi at agharta.de Thu Nov 18 07:07:29 2010 From: edi at agharta.de (Edi Weitz) Date: Thu, 18 Nov 2010 08:07:29 +0100 Subject: [hunchentoot-devel] Windows domain login In-Reply-To: References: Message-ID: Have you looked at the headers you receive? In case you receive any requests at all? I do remember that I once wrote a WebDAV server where I saw Windows clients trying to log in in a peculiar way, but I forgot the details. On Wed, Nov 17, 2010 at 8:01 PM, Dmitri Pavlenkov wrote: > How can I discover windows domain login of the user accessing web app on > intranet? I run clozure cl on windows. Has anybody done this? I don't want > to authenticate because users are used to single sign-on and transparent > access. > > > _______________________________________________ > tbnl-devel site list > tbnl-devel at common-lisp.net > http://common-lisp.net/mailman/listinfo/tbnl-devel > From blondbf at gmail.com Thu Nov 18 13:08:58 2010 From: blondbf at gmail.com (Blond BF) Date: Thu, 18 Nov 2010 16:08:58 +0300 Subject: [hunchentoot-devel] Windows domain login In-Reply-To: References: Message-ID: You can get it from %USERNAME% and %USERDOMAIN% environment variables using Javascript. But modern browsers hide them to protect user privacy. I think the best way is to ask user the login and password (and maybe pass them to DC for validation). On Wed, Nov 17, 2010 at 10:01 PM, Dmitri Pavlenkov wrote: > How can I discover windows domain login of the user accessing web app on > intranet? I run clozure cl on windows. Has anybody done this? I don't want > to authenticate because users are used to single sign-on and transparent > access. > > > _______________________________________________ > tbnl-devel site list > tbnl-devel at common-lisp.net > http://common-lisp.net/mailman/listinfo/tbnl-devel > From archimag at gmail.com Thu Nov 18 13:27:29 2010 From: archimag at gmail.com (Andrey Moskvitin) Date: Thu, 18 Nov 2010 16:27:29 +0300 Subject: [hunchentoot-devel] Windows domain login In-Reply-To: References: Message-ID: > How can I discover windows domain login of the user accessing web app on > intranet? I run clozure cl on windows. Has anybody done this? I don't want > to authenticate because users are used to single sign-on and transparent > access. I use Hunchentoot + Apache + mod_auth_kerb for transparent authentication of users. Here is a template config for Apache: ServerName myserver RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE-USER %{RU}e ProxyPass / http://hunchentoot-server:port/ AuthType Kerberos KrbAuthRealms MYDOAIN KrbServiceName HTTP/myservicename Krb5Keytab /path/to/keytab require valid-user Allow from all Deny from all See documentation on mod_auth_kerb for details. Now the user login can be calculated as follows: (hunchentoot:header-in* :remote-user) Andrey From syntard at gmail.com Thu Nov 18 14:15:34 2010 From: syntard at gmail.com (Dmitri Pavlenkov) Date: Thu, 18 Nov 2010 09:15:34 -0500 Subject: [hunchentoot-devel] Windows domain login In-Reply-To: References: Message-ID: I ended up using isapi_rewrite, but your mod_auth_kerb suggestion is illuminating and I'll keep it in mind as I approach production. Thanks all! On Thu, Nov 18, 2010 at 8:27 AM, Andrey Moskvitin wrote: > > How can I discover windows domain login of the user accessing web app > on > > intranet? I run clozure cl on windows. Has anybody done this? I don't > want > > to authenticate because users are used to single sign-on and transparent > > access. > > I use Hunchentoot + Apache + mod_auth_kerb for transparent authentication > of users. Here is a template config for Apache: > > > ServerName myserver > > RewriteEngine On > RewriteCond %{LA-U:REMOTE_USER} (.+) > RewriteRule . - [E=RU:%1] > RequestHeader set REMOTE-USER %{RU}e > > ProxyPass / http://hunchentoot-server:port/ > > > AuthType Kerberos > KrbAuthRealms MYDOAIN > KrbServiceName HTTP/myservicename > Krb5Keytab /path/to/keytab > > require valid-user > > Allow from all > Deny from all > > > > See documentation on mod_auth_kerb for details. > > Now the user login can be calculated as follows: > > (hunchentoot:header-in* :remote-user) > > > Andrey > > _______________________________________________ > tbnl-devel site list > tbnl-devel at common-lisp.net > http://common-lisp.net/mailman/listinfo/tbnl-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From archimag at gmail.com Thu Nov 18 14:25:20 2010 From: archimag at gmail.com (Andrey Moskvitin) Date: Thu, 18 Nov 2010 17:25:20 +0300 Subject: [hunchentoot-devel] Windows domain login In-Reply-To: References: Message-ID: > I ended up using isapi_rewrite, but your mod_auth_kerb suggestion is > illuminating and I'll keep it in mind as I approach production. Thanks all! Oh, I thought that if you are using a server with Windows, then perhaps you may find it easier to use Apache with sspi_auth_module. I no longer use Windows, and completely forgot about this module. Andrey From poketo7878 at yahoo.co.jp Wed Nov 24 16:34:14 2010 From: poketo7878 at yahoo.co.jp (poketo7878 at yahoo.co.jp) Date: Thu, 25 Nov 2010 01:34:14 +0900 Subject: [hunchentoot-devel] Little Patch to set no_log option like Apache. Message-ID: <4CED3E86.7030304@yahoo.co.jp> Hello, I love to use hunchentoot. Some Times I want to setup no_log option like Apache. But I can't find any option to set this. So I write little patch for hunchentoot files(packages.lisp log.lisp headers.lisp specials.lisp) Perhaps I don't have good sense for function(and variables) name, so please fix variable-name if you want. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: headers.lisp.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log.lisp.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: packages.lisp.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: specials.lisp.patch URL: From poketo7878 at yahoo.co.jp Thu Nov 25 11:51:13 2010 From: poketo7878 at yahoo.co.jp (Pocket) Date: Thu, 25 Nov 2010 20:51:13 +0900 Subject: [hunchentoot-devel] Little Patch to set no_log option like Apache. In-Reply-To: References: <4CED3E86.7030304@yahoo.co.jp> Message-ID: <4CEE4DB1.3090200@yahoo.co.jp> Thank you for your advice Hans. > Also consider providing a more realistic name for > yourself so that it is easier to recognize you as a person. Sorry for unreadable my name, because I'm Japanese so my name is Chinese character. And I forgot fix my name. I rewrite some of my code. And I make new-patch in one file. And I add some text in doc/index.xml. Explain about my patch: Apache has feature to setup about which request will not to be write to log. For example. If I write in httpd.conf(Apache's configuration file) like this: SetEnvIf Remote_Addr 192.168. no_log Then request from local will not to be write to log. This option is useful to setup sort-out important log. So I port this feature to hunchentoot. And I add functions and special-variable. create-request-remote-addr*-matcher create-request-user-agent-matcher create-request-script-name*-matcher *no-log-request-matchers* With this patch you can set up no_log option with request's remote-addr* user-agent and script-name. Like this: (push (create-request-remote-addr*-matcher "127.0.0.1") *no-log-request-matchers*) ;; no_log from own pc. (push (create-request-user-agent-matcher "iPhone") *no-log-request-matchers*) ;; no_log from iPhone browser. (push (create-request-user-agent-matcher "/images") *no-log-request-matchers*) ;; no_log for uri which contain "/images". I tested on my web-server and my iPhone. And works fine. -------------------------------------- What is the No.1 drama, music and car of 2010 ? - Yahoo! JAPAN Net BANZUKE 2010 - http://pr.mail.yahoo.co.jp/banzuke/ From poketo7878 at yahoo.co.jp Thu Nov 25 12:17:21 2010 From: poketo7878 at yahoo.co.jp (Pocket) Date: Thu, 25 Nov 2010 21:17:21 +0900 Subject: [hunchentoot-devel] Little Patch to set no_log option like Apache. In-Reply-To: <4CEE4DB1.3090200@yahoo.co.jp> References: <4CED3E86.7030304@yahoo.co.jp> <4CEE4DB1.3090200@yahoo.co.jp> Message-ID: <4CEE53D1.5010403@yahoo.co.jp> Thanks ! This is patch in one-file for hunchentoot-1.1.1 folder. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hunchentoot.patch URL: From poketo7878 at yahoo.co.jp Thu Nov 25 12:21:37 2010 From: poketo7878 at yahoo.co.jp (Pocket) Date: Thu, 25 Nov 2010 21:21:37 +0900 Subject: [hunchentoot-devel] Little Patch to set no_log option like Apache. In-Reply-To: <4CED3E86.7030304@yahoo.co.jp> References: <4CED3E86.7030304@yahoo.co.jp> Message-ID: <4CEE54D1.6040607@yahoo.co.jp> Oops I mistake in patch. (Forgot to delete .DS_Store and vim backup-file) This is correct version. Sorry for my miss sending :( -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hunchentoot.patch URL: