tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pier Fumagalli <>
Subject Re: javascript access protection
Date Mon, 05 Nov 2001 14:31:41 GMT
Thierry RAIBAUT at wrote:

> Hello,
> could somebody explain me how is it possible to protect some ressources from
> direct access.
> I think about a javascript directory.
> This directory has to be accessed by some JSP pages, but I do not want the
> user to access this directory
> directly with the browser by setting the javascript file url.
> I move my javascript directory under web-inf but by doing this, js files are
> no longer available even for jsp pages.
> thanks a lot for your help.

Its pointless to keep re-writing the same question over and over (blocked 3
in moderation, one got thru, apparently) if you don't read the answers
(DOH!)... I replied last week:

------ Forwarded Message
From: Pier Fumagalli <>
Reply-To: "Tomcat Users List" <>
Date: Sat, 03 Nov 2001 17:30:44 +0000
To: Tomcat Users List <>
Subject: Re: javascript access protection.

Javascripts are interpreted BY THE CLIENT, not by the server, so no matter
what, the client NEEDS to se that .js file, and needs to be able to download


------ End of Forwarded Message

Dean tooo...

------ Forwarded Message
From: "Deacon Marcus" <>
Reply-To: "Tomcat Users List" <>
Date: Sat, 3 Nov 2001 21:07:56 +0100
To: "Tomcat Users List" <>
Subject: RE: javascript access protection.


There's no "real" protection since the files in question would end up in
browser's cache, no matter disk or memory, anyway.
Try setting a filter on the directory containing the .js files and checking
for "referer" http header. It's not a real solution, you could still telnet
:80 and write GET /dir/file.js2 HTTP/1.1 [enter] Referer:
http://server/file.jsp [enter] [enter] and get the file, but it's the best
you can do. Filters are 2.3 of course.

Greetings, deacon Marcus

------ End of Forwarded Message

And Ralph today.

------ Forwarded Message
From: "Ralph Einfeldt" <>
Reply-To: "Tomcat Users List" <>
Date: Mon, 5 Nov 2001 15:15:55 +0100
To: "Tomcat Users List" <>
Subject: AW: javascript access protection

You have following choices:
- Suppress the access to the javascript files if the referrer
  is empty. Implement a filter in tc 4.0)
  Disadvantage: You won't win much, because anybody who is
  interested in the file can get it with ie ('save page as')
- security by obscurity
  scramble the javascript, so that it's hard
  to read. (At least requires some work for
  the spy)
  Disadvantage: You won't win much either, but have
  additional work.

------ End of Forwarded Message

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message