We have Crowd/Confluence connnector that prevents unauthorized users from accessing the Confluence-rendered pages.
However, anyone (include external remote hosts) can still access directories such as images, includes, and other files. Is there any way to prevent access to these from non-authorized users?
For example, to view content on our Confluence site, you'd need a login to view http://mysite.com. However, you could access images, for example, at http://mysite.com/images/en_GB.gif or raw decorator source files, for example, at http://mysite.com/decorators/admin.vmd.
Does anyone else see this as a security issue?
The images directory in your instance contains a lot of the standardized Atlassian logos and images that we use all around the site that need to be accessible to anonymous viewers. For instance, your site logo on the Confluence login page has your site logo stored in /images/logos, and without anonymous access, the user would just see a broken image link when logging in. All images uploaded to your site by users are behind the /download/attachments resource, which is login protected so long as you don't have the global and space permissions for anonymous users set.
As for the Velocity files, I'm unfortunately a little less knowledgeable about the need for anonymous access to the content. However, if you haven't made any customizations to the files themselves, they should not have any information to worry about. More importantly, the anonymous access to either of these resource locations does not inherntly put you site at risk.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG