0
408
Question Rosti Zacharias · Dec 30, 2022

How to hide folder content from CSP applications

#InterSystems IRIS

Hi
Just looking to tighten up a new application

As an example, the application may have a path such as;

     Omniata.au/csp/SomeApp/ListIndex.csp

on a Windows server in the path of ;

     C:\InterSystems\IRIS\CSP\SomeApp

and display images from a path such as;

     C:\InterSystems\IRIS\CSP\SomeApp\images\Pic1.jpg

If a user wishes to browse through the website, they could point their browser at the path ;

     Omniata.au/csp/SomeApp/images

and guesses some file names, they could view the images

If I do something similar on commercial web sites, I get an error that I'm not authorised to view, I get ...

Forbidden

You don't have permission to access this resource.

How do I set up the application folder and it's sub-folders to be inaccessible to casual browsing, and only allow the application to access them?

My guess it's to do with the User access, but I'm not sure what 'user' my application is and what 'user' a casual browser is to set the permissions

Thanks

in advance

Rosti

Product version: IRIS 2022.1
$ZV: IRIS for Windows (x86-64) 2022.1 (Build 209U) Tue May 31 2022 12:16:40 EDT
Discussion (3)0
Log in or sign up to continue

Comments

Eduard Lebedyuk · Jan 2, 2023

How do I set up the application folder and it's sub-folders to be inaccessible to casual browsing, and only allow the application to access them?

Depending on your goal, there are different approaches available. Do you want user to see images only after logging into the application (so a general control on resources) or do you want individual access (only some users can see a specified image)?

If it's a first one, go to the web application configuration page and set Serve Files to Use InterSystems Security. In that case if the user has permissions to view a csp/cls page in this application then allow them to view a static file, if they do not have permissions to view a csp/cls page then return a 404 page not found page.

For a second case, use REST Broker to serve files and implement arbitrary checks in the broker.

0
Rosti Zacharias  Jan 2, 2023 to Eduard Lebedyuk

Thanks for your input Eduard
It's the first scenario .. I would only like to provide access to just my application
Should an inquisitive user BY-PASS the application by simply pointing their browser to a URL with the path containing my images, (such as OmniData.au/csp/SomeApp/images/Image1.jpg) I would like them to get an error
As this completely by-passes IRIS, it seems to me that it is the OS that needs to block the display of the web server's folder contents, unless it's the IRIS application having a look
I would imagine going to the Security Properties of the folders and DENY access to all but an IRIS application (and the Server Admin). My question is how does the OS (Ms Windows 2019 Server) identify an IRIS application and allow access?
Thanks

Rosti

0
Eduard Lebedyuk  Jan 3, 2023 to Rosti Zacharias

If you have a web application /csp/SomeApp and users need to login to access this application, it is enough to go to a /csp/SomeApp web application configuration page and set Serve Files to Use InterSystems Security to get the effect you want. After making this change, users would not be able to access /csp/SomeApp/image.png without logging into your application first.

0