struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nail, Evan Burke" <Evan.N...@ENRON.com>
Subject [FRIDAY] RE: JSP Protection
Date Fri, 16 Jan 2004 13:19:15 GMT

Perhaps I have a different browser, but mine keeps asking for /images/deniserichards.jpg


hmmm



-----Original Message-----
From: Max Cooper [mailto:max@maxcooper.com]
Sent: Thursday, January 15, 2004 7:20 PM
To: Struts Users Mailing List
Subject: Re: JSP Protection


The images are requested directly by the browser, so they must be accessible
from the outside. Here's a little browser-server dialog to illustrate how it
works:

Browser: please give me /DoSomething.do
Server: Here you go... (server invokes Struts action servlet, action servlet
invokes the requested action, action says it wants to forward to a JSP,
action servlet does the forward...)
<html><img src="/images/bitchin_camaro.jpg"></html>

Browser: please give me /images/bitchin_camaro.jpg
Server: Here you go...
24927image247data7902578259image293data85984396574389...

The request for the action returns HTML. The browser reads the HTML and sees
that it references an image. The browser then makes a separate request for
the image file so that it can render the page. The image file must be
"request-able" by the browser or it won't show up when someone wants to view
the page.

-Max

----- Original Message ----- 
From: "lixin chu" <lixin_chu@yahoo.com>
To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
Sent: Thursday, January 15, 2004 5:07 PM
Subject: RE: JSP Protection


> I can successfully move all the files into
> /WEB-INF/subfolder (WEB-INF is protected by default)
> except the images/ folder. It seems that I have to
> leave it outside - in the webapp root.
> I am using Tomcat 5.0.16. Is it a defect or it is like
> this ?
>
> --- "Karr, David" <David.Karr@wamu.net> wrote:
> > Put all JSP pages that can't be accessed directly
> > into a security constraint, only accessible by the
> > role "nobody", which you will never add a user to.
> > All accesses of JSPs will be through forwards from
> > actions, which will not be blocked by that security
> > constraint (unless you either have a broken web
> > container or a Servlet 2.4 container where you've
> > enabled auth on forward).
> >
> > -----Original Message-----
> > From: J&#40693;gen Scheffler
> > [mailto:Juergen.Scheffler@gmx.de]
> > Sent: Thursday, January 15, 2004 8:15 AM
> > To: struts-user@jakarta.apache.org
> > Subject: JSP Protection
> >
> >
> > Hi,
> >
> > how do i block URL guessing?
> > if someone requests abc.com/secret_page.jsp
> > he gets it. In my Action i check if the user object
> > has the right rights for this action and then i
> > forward him. But if guesses the jsp, he opens it.
> >
> > Help me!
> >
> > J&#40693;gen
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> http://hotjobs.sweepstakes.yahoo.com/signingbonus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org



**********************************************************************
This e-mail is the property of Enron Corp. and/or its relevant affiliate and may contain confidential
and privileged material for the sole use of the intended recipient (s). Any review, use, distribution
or disclosure by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender or reply to Enron Corp.
at enron.messaging.administration@enron.com and delete all copies of the message. This e-mail
(and any attachments hereto) are not intended to be an offer (or an acceptance) and do not
create or evidence a binding and enforceable contract between Enron Corp. (or any of its affiliates)
and the intended recipient or any other party, and may not be relied on by anyone as the basis
of a contract by estoppel or otherwise. Thank you. 
**********************************************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message