<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hi all –<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I was given a project to research if it’s possible to
prevent users from accessing a path directly using NGINX?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here’s are layout: IIS & JBoss<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>We have an IIS server presenting clients with their login
page. After the client logs in it does a lookup within the database to
verify the clients credentials. Once the client has been verified, the
user is redirected to the appropriate application server – JBOSS
application server.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The client is then able to do whatever their licenses allows.
<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>So within IIS and the JBoss application server, we’re
able to control access to a certain degree, however there are some pages served
by JBoss that can be accessed directly if you know the path. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Example: <o:p></o:p></p>
<p class=MsoNormal> IIS:
htt://logingpage = secure<o:p></o:p></p>
<p class=MsoNormal> JBoss:
<a href="http://successful_login/jboss.ear">http://successful_login/jboss.ear</a>
= secure<o:p></o:p></p>
<p class=MsoNormal>
JBoss: <a href="http://regular_html_pages/ourstuff.html">http://regular_html_pages/ourstuff.html</a>
= can be accessed directly.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>We already know that if we write code within our application
we can control that behavior, but we’re reluctant to make any changes to
application at this time.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>So to conclude<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Once the user has successfully logged into the IIS server
and is handed off to JBoss, the user does received a JSESSIONID. Is
there any way to tell NGINX that unless there is an associated JSESSIONID you
will not be allowed to access the page directly? Or any other suggestion
you may have to offer?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks for any and all help!<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>-Shamunda<o:p></o:p></p>
</div>
<!--[object_id=#playlan.com#]--><P align=left><FONT face=Tahoma size=2><FONT color=#0000ff>***** Email confidentiality notice *****</P>
<P align=left><FONT face=Tahoma size=2><FONT color=#0000ff>25/1/2009</FONT></FONT></P>
<P align=left><FONT face=Tahoma size=2><FONT color=#0000ff>This message is private and confidential. If you have recieved this message in error, please notify us and remove it from your system.</FONT></FONT></P></FONT></FONT></body>
</html>