[opencms-dev] How is it possible to disable workplace? (revisited)
Steve Mato
smato at icc.net
Fri Jun 3 21:30:18 CEST 2005
Yes, I know this thread is about a 1/2 year old. I'm trying to do the same thing as Farnaz today. I'm about to go into production with our new website. What I did to secure access to /system/login & workplace was slightly different though. It did not work (behaviour was strangely too). Hope someone can shed light on why.
I went so far as creating another <Service ...> instance in server.xml, using another <Connector ...> on another port with the necessary <Engine ...> and <Host ...> definitions under it. I used a <Context ...> redefinition to re-point where the /system/login and /system/workplace looked for files in that instance, therein "disabling" them on what I'll call the "public port". On the "private port" site, access to those /system/ paths were unaltered. We will use router restrictions to limit who can access the "private port".
...HOWEVER, when I used the "private" port site and published something to a non-exportable dynamic page, browsing by the private port showed the updated content, but browsing to the public port did not show the published content ... [!!! ??? !!!!]
So why is that? I was using the same OpenCMS Servlet in the same Tomcat Server JVM [but different Service instance], all going against the =same= OpenCMS database in MySQL. Why did browsing by the other port than the one used to publish the new content not show the newly published content?
More important then "why", How can I get it too? If I get that, I can feel comfortable in that no-one in the public Internet can even see [browse, invoke] the /system/login or /system/workplace paths. Farnaz and I can't be the first prople attempting to do this...
[I'm using OpenCMS 5.0.1 ... sorry, but going to 6 is not an option @ the moment]
Best Regards,
Steve Mato
Alexander Kandzior alex at opencms.org
Wed Oct 6 10:27:02 CEST 2004
workplace.limited.port may or may not work in 5.0.x. I must say that this
feature never was really tested much.
In 6.0, you can just place the workplace site to a different hostname/post
and have your Firewall protect access to this.
Best Regards,
Alex.
Alexander Kandzior
Alkacon Software - The OpenCms Experts
http://www.alkacon.com <http://www.alkacon.com/>
_____
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Claus Priisholm
Sent: Wednesday, October 06, 2004 9:22 AM
To: The OpenCms mailing list
Subject: Re: [opencms-dev] How is it possible to disable workplace?
As mentioned I haven't tried it, but it seems to be the idea - anyone out
there that actually have used this feature?
On 5/10-2004, at 14.37, Farnaz Fotrousi wrote:
Do you mean the web-site port would be different than workplace port, when
we set "workplace.limited.port" property to another port in
"opencms.properties"?
Claus Priisholm <cpr at codedroids.com> wrote:
I haven't fiddled with this myself, but maybe it is something you can
utilize for your setup:
# workplace limited port
# This is the port the workplace access is limited to. With the
opencms.properties
# the access to the workplace can be limited to a user defined port.
With this
# feature a firewall can block all outside requests to this port with
the result
# the workplace is only available in the local net segment.
# Default=-1 (no limit)
workplace.limited.port=-1
Maybe this approach can be used with https, ie. setting the port to be
say 443 (or whatever the https port is set to). But if you're behind a
firewall and doing VPN adding HTTPS seems to be a bit of an overkill.
On 5/10-2004, at 7.49, Farnaz Fotrousi wrote:
> Dear Arash,
>
> Thanks a lot for your solution. My problem is that I don't want to let
> any one to enter opencms workplace through internet. I just want to
> let them work with opencms in VPN, But have a site on internet.
>
> Consider the situation that I implement an advanced authentication and
> put all on internet. If any one find username and password, can enter
> opencms workplace and make any undesirable changes on site.But This
> situation is terrible.
>
> So I prefere to have two databases. One for VPN and one for Internet.
> In VPN database, have opencms workplace but in Internet database
> doesn't have or disable it.
> Is it possible?
> It is good to mention that I have lots of dynamic pages.
>
> Best Regards,
> Farnaz.
>
>
> Arash Kaffamanesh wrote:
> > For more security, How it is possible to disable workplace? Do you
> have another solution?
>
> you can either export your site statically and serve it with a
> webserver (e.g proxied apache or iis), or
>
> connect via https, if you have to use the dynamic mode for several
> reasons (e.g using lucene), or
>
> you can write your own custom login (e.g. with jaas, cas) and replace
> the basic authentification
>
> > For solving this problem I think, I need to install another opencms
> with another DB and disable the workplace in the way that no body can
> enter workplace.
>
> and how would you yourself enter the workplace? ;-)
>
> in short: the fastest secure way is to ssl / tls enable your tomcat
> --> https.
>
> Best Regards,
> Arash
> -----Original Message-----
> From: opencms-dev-bounces at opencms.org
> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Farnaz Fotrousi
> Sent: Montag, 4. Oktober 2004 14:34
> To: opencms
> Subject: [opencms-dev] How is it possible to disable workplace?
>
> Hi,
>
> I have made a site through opencms.Now I would like to publish this
> site but I fear that If I put this site on the internet, some one can
> crack and enter opencms workplace. So he can make any undesirable
> changes on this site.
>
> For solving this problem I think, I need to install another opencms
> with another DB and disable the workplace in the way that no body can
> enter workplace.
>
> For more security, How it is possible to disable workplace? Do you
> have another solution?
>
> Reagards,
> Farnaz
>
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
More information about the opencms-dev
mailing list