tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cox, Charlie" <c...@cincom.com>
Subject RE: Urgent : Can we restrict access to a directory in tomcat
Date Tue, 10 Jun 2003 20:32:13 GMT
you could put a value in the user's session from your page and then use your
filter to check for it when an image is requested. If it's not there, they
were not at your site/page. Sessions can be set to timeout, so they would
have to had to visit recently to get the image.

Charlie

> -----Original Message-----
> From: Justin Ruthenbeck [mailto:justinr@nextengine.com]
> Sent: Tuesday, June 10, 2003 1:41 PM
> To: Tomcat Users List
> Subject: Re: Urgent : Can we restrict access to a directory in tomcat
> 
> 
> At 04:27 AM 6/10/2003, you wrote:
> >Apologies if I'm missing the point, but why can't you 
> store/retrieve your
> >image from a blob field in your database ?
> 
> You could, but the question is really, "How do I stop people 
> from directly 
> linking to my images (ie: only allow them to see the images if a 
> jsp/servlet produces the page)?"  Among other possibilities, 
> this could be 
> because you have images or other resources (celebrity photos 
> come to mind) 
> that other sites want to serve off of yours.  If you've got a 
> jsp/servlet 
> app that is non-session based, how would you go about preventing this?
> 
> A couple solutions have been offered -- all based on an 
> authentication 
> filter/servlet to decide whether the resource should be served.  The 
> question is: how should that filter/servlet make that decision?
> 
> justin
> 
> 
> >----- Original Message -----
> >From: "Dean Fantham" <dean@fantham.com>
> >To: "Syed Nayyer Kamran" <nayyerkamran@hotmail.com>
> >Cc: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> >Sent: Tuesday, June 10, 2003 3:29 AM
> >Subject: Re: Urgent : Can we restrict access to a directory in tomcat
> >
> >
> > > There is no guaranteed way to stop someone directly 
> access a gif image
> > > via a browser url, because this is how an image is accessed by the
> > > browser itself anyways.  The browser just makes a HTTP 
> get request to
> > > the web-server (in this case tomcat) requesting the URL 
> of the image to
> > > be included in the web page.
> > >
> > > i.e. in a standard jsp/servlet response to a web request the image
> > > request is embedded in a <img 
> src=".../somedir/some-img.gif">.  This is
> > > going to cause a browser request directory to the 
> directory containing
> > > the image, which can also be duplicated in the browser.
> > >
> > > The only potential method that can catch most (but not 
> all) of these
> > > would be to create a separate image handling jsp/servlet, say
> > > imageHandler.  When imageHanlder servlet recieves an 
> image request it
> > > can check the http-referrer header and ensure that the 
> referrer is the
> > > url of the page to which the images are supposed to load, 
> i.e. is the
> > > page containing the images in /servlet/somepage then the 
> http-referrer
> > > that imageHandler see should be able to checked that it is
> > > /servlet/somepage.  Someone can circumvent this control 
> by the Internet,
> > > but just manually setting this header themselves (via a 
> program or the
> > > like) and then having access directly to the images
> > >
> > > You would then have to update all image referrences on 
> the somepage
> > > servelt/jsp however to something like <img
> > > src="/servlet/imagehandler?gif=somerefernce">.
> > >
> > >
> > >
> > > On Mon, 2003-06-09 at 18:32, Syed Nayyer Kamran wrote:
> > >
> > > > hi there,
> > > >
> > > > I want to restrict the user to access the images 
> directly through the
> >web. They should be able to access these images through web 
> pages developed
> >as jsp/servlet but should not be able to access these images 
> displayed on
> >page by copying the image url to the address bar. Is tomcat 
> directly support
> >this functionality. or any other solution.
> > > >
> > > > Thanks in advance for any solution of the problem.
> > > >
> > > >
> > > > Nayyer Kamran
> > > >
> 
> 
> ____________________________________
> Justin Ruthenbeck
> Software Engineer, NextEngine Inc.
> justinr - AT - nextengine DOT com
> Confidential
>     See http://www.nextengine.com/confidentiality.php
> ____________________________________
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message