From: Luke <sl...@li...> - 2006-09-18 02:43:53
|
On Sun, 17 Sep 2006, Trevor Hennion wrote: > > SSL does not prevent it, and we can't really block based upon IP > > addresses, because of mobile client users. > > For the same reason, it is difficult to implement any kind of htaccess > > authorization scheme, unless I write one that interfaces with SL's > > existing authorization system. > > > > It is not always possible, or reasonable, to bullet-proof a server as you > > claim to have done. > > A .htaccess file in /usr/local/sql-ledger containing something like: > AuthType Basic > AuthName "Accounts" > AuthUserFile /var/www/passwd/passwords > Require valid-user With multiple corporations, with multiple users each, this separate maintaining of username password combinations, would be highly annoying, and prone to error. Also worth considering, is that with two sets of user names and passwords, users are even more likely to start writing things down, or keeping other sorts of penetrable records. Application level security is the problem and the solution here. > Add a line in the sql-ledger-httpd.conf file under: > <Directory /usr/local/sql-ledger> > SSLRequireSSL Just for clarity, my systems are using SSL. It encrypts transacted data. it does nothing for access security. Luke |