Restrict request to a specific IP Address

[FossilFM]

We currently have a setup of our web publishing installed on one server and the Apache Web Service installed on another server. Is there a way in the web publishing of FileMaker Server Advanced to restrict access to the Apache Web server's IP Address? Or is it a setup in the server operating system. We are currently running OS X Server on both servers.

Another question is, how can i prevent someone from making the request of /fmi/xml/fmresultset.xml?-dbnames which list out the names of the databases that are being shared on the web.

Thanks.

[FossilFM]

We currently have a setup of our web publishing installed on one server and the Apache Web Service installed on another server. Is there a way in the web publishing of FileMaker Server Advanced to restrict access to the Apache Web server's IP Address? Or is it a setup in the server operating system. We are currently running OS X Server on both servers.

Another question is, how can i prevent someone from making the request of /fmi/xml/fmresultset.xml?-dbnames which list out the names of the databases that are being shared on the web.

Thanks.

[FossilFM]

We currently have a setup of our web publishing installed on one server and the Apache Web Service installed on another server. Is there a way in the web publishing of FileMaker Server Advanced to restrict access to the Apache Web server's IP Address? Or is it a setup in the server operating system. We are currently running OS X Server on both servers.

Another question is, how can i prevent someone from making the request of /fmi/xml/fmresultset.xml?-dbnames which list out the names of the databases that are being shared on the web.

Thanks.

[Martin Brändle]

Question 1: I think you have to play with the Apache Tomcat settings of FMS7A, which can be dangerous, but for the moment I have no clue where to start.

Question2: There is a simple, an intermediate and a complicated answer.

- Simple: Turn off XML publishing for the databases not to be seen.

- Medium: Don't turn off XML publishing, but assign an account and a password to the fmxml privilege set. Use this account:password only in XSLT stylesheets (e.g. in http://name:password@localhost/fmi/xml/fmresultset.xml?.. calls). If no errors happen in the XSLT transformation, this information will not be displayed to the user. Users still see which databases are open, but can't send any XML requests if they don't know the password.

- Complicated: Turn off XML publishing for the databases not to be seen. Use XSLT only. Replace all XML calls in your XSLT stylesheets with a query that calls a template that simply copies your XML result tree to a variable, in the following sense:

<xsl:variable name="tree1" select="document('copydata.xsl?-grammar=.... ')"/>

The copydata.xsl contains the following:

<?xml version="1.0" encoding="UTF-8"?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>

<xsl:template match="/">

<xsl:copy-of select="."/>

</xsl:template>

</xsl:stylesheet>

Then use the variable(s).

Martin

[Martin Brändle]

Question 1: I think you have to play with the Apache Tomcat settings of FMS7A, which can be dangerous, but for the moment I have no clue where to start.

Question2: There is a simple, an intermediate and a complicated answer.

- Simple: Turn off XML publishing for the databases not to be seen.

- Medium: Don't turn off XML publishing, but assign an account and a password to the fmxml privilege set. Use this account:password only in XSLT stylesheets (e.g. in http://name:password@localhost/fmi/xml/fmresultset.xml?.. calls). If no errors happen in the XSLT transformation, this information will not be displayed to the user. Users still see which databases are open, but can't send any XML requests if they don't know the password.

- Complicated: Turn off XML publishing for the databases not to be seen. Use XSLT only. Replace all XML calls in your XSLT stylesheets with a query that calls a template that simply copies your XML result tree to a variable, in the following sense:

<xsl:variable name="tree1" select="document('copydata.xsl?-grammar=.... ')"/>

The copydata.xsl contains the following:

<?xml version="1.0" encoding="UTF-8"?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>

<xsl:template match="/">

<xsl:copy-of select="."/>

</xsl:template>

</xsl:stylesheet>

Then use the variable(s).

Martin

[Martin Brändle]

Question 1: I think you have to play with the Apache Tomcat settings of FMS7A, which can be dangerous, but for the moment I have no clue where to start.

Question2: There is a simple, an intermediate and a complicated answer.

- Simple: Turn off XML publishing for the databases not to be seen.

- Medium: Don't turn off XML publishing, but assign an account and a password to the fmxml privilege set. Use this account:password only in XSLT stylesheets (e.g. in http://name:password@localhost/fmi/xml/fmresultset.xml?.. calls). If no errors happen in the XSLT transformation, this information will not be displayed to the user. Users still see which databases are open, but can't send any XML requests if they don't know the password.

- Complicated: Turn off XML publishing for the databases not to be seen. Use XSLT only. Replace all XML calls in your XSLT stylesheets with a query that calls a template that simply copies your XML result tree to a variable, in the following sense:

<xsl:variable name="tree1" select="document('copydata.xsl?-grammar=.... ')"/>

The copydata.xsl contains the following:

<?xml version="1.0" encoding="UTF-8"?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>

<xsl:template match="/">

<xsl:copy-of select="."/>

</xsl:template>

</xsl:stylesheet>

Then use the variable(s).

Martin