Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 57119 invoked from network); 5 Nov 2001 14:32:24 -0000 Received: from unknown (HELO osaka.betaversion.org) (192.18.49.133) by daedalus.apache.org with SMTP; 5 Nov 2001 14:32:24 -0000 Received: (qmail 20789 invoked from network); 5 Nov 2001 14:34:48 -0000 Received: from nagoya.betaversion.org (192.18.49.131) by osaka.betaversion.org with SMTP; 5 Nov 2001 14:34:48 -0000 Received: (qmail 19782 invoked by uid 97); 5 Nov 2001 14:31:48 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 19766 invoked by uid 97); 5 Nov 2001 14:31:47 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 19755 invoked from network); 5 Nov 2001 14:31:45 -0000 User-Agent: Microsoft-Entourage/9.0.1.3108 Date: Mon, 05 Nov 2001 14:31:41 +0000 Subject: Re: javascript access protection From: Pier Fumagalli To: Tomcat Users List , Thierry RAIBAUT Message-ID: In-Reply-To: <008a01c16600$98843980$0200a8c0@PETRUS> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Thierry RAIBAUT at thierry.raibaut@libertysurf.fr wrote: > Hello, > > could somebody explain me how is it possible to protect some ressources from > direct access. > > I think about a javascript directory. > This directory has to be accessed by some JSP pages, but I do not want the > user to access this directory > directly with the browser by setting the javascript file url. > > I move my javascript directory under web-inf but by doing this, js files are > no longer available even for jsp pages. > > thanks a lot for your help. Its pointless to keep re-writing the same question over and over (blocked 3 in moderation, one got thru, apparently) if you don't read the answers (DOH!)... I replied last week: ------ Forwarded Message From: Pier Fumagalli Reply-To: "Tomcat Users List" Date: Sat, 03 Nov 2001 17:30:44 +0000 To: Tomcat Users List Subject: Re: javascript access protection. Javascripts are interpreted BY THE CLIENT, not by the server, so no matter what, the client NEEDS to se that .js file, and needs to be able to download it. Pier ------ End of Forwarded Message Dean tooo... ------ Forwarded Message From: "Deacon Marcus" Reply-To: "Tomcat Users List" Date: Sat, 3 Nov 2001 21:07:56 +0100 To: "Tomcat Users List" Subject: RE: javascript access protection. Hi, There's no "real" protection since the files in question would end up in browser's cache, no matter disk or memory, anyway. Try setting a filter on the directory containing the .js files and checking for "referer" http header. It's not a real solution, you could still telnet :80 and write GET /dir/file.js2 HTTP/1.1 [enter] Referer: http://server/file.jsp [enter] [enter] and get the file, but it's the best you can do. Filters are 2.3 of course. Greetings, deacon Marcus ------ End of Forwarded Message And Ralph today. ------ Forwarded Message From: "Ralph Einfeldt" Reply-To: "Tomcat Users List" Date: Mon, 5 Nov 2001 15:15:55 +0100 To: "Tomcat Users List" Subject: AW: javascript access protection You have following choices: - Suppress the access to the javascript files if the referrer is empty. Implement a filter in tc 4.0) Disadvantage: You won't win much, because anybody who is interested in the file can get it with ie ('save page as') - security by obscurity scramble the javascript, so that it's hard to read. (At least requires some work for the spy) Disadvantage: You won't win much either, but have additional work. ------ End of Forwarded Message -- To unsubscribe: For additional commands: Troubles with the list: