tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jon Yeargers" <j...@lupinesystems.net>
Subject Re: Image Viewing
Date Fri, 12 Dec 2003 23:04:12 GMT
Another method Ive seen is to use an applet to display the images. One
advantage to this is you can display any sort of graphic that you have the
code to work with. You also get around the issue of having a displayed
graphic end up in the cache for the user.

Disadvantage.. well... its an applet.. :^(

> How does an image get displayed in a page?
>
> 1. The browser receives an HTML page with an IMG tag in it. The IMG tag
> contains a src attr (an HTTP URL).
> 2. The browser makes another request, for the URL of the image.
> 3. The server returns the image, which is displayed.
>
> Clearly, if you want an image to be displayed within a web page, the
> image must be available on your server. There is no difference between
> the browser making a request for an URL and the user typing that URL
> into the address bar directly. Maybe you can look at the referer field,
> but of course that can be hoaxed so if you are really trying to keep
> this secure that is not a solution.
>
> If you really want to only provide content to specific users, you must
> provide some sort of access control mechanism. The same mechanism should
> apply to images you wish to protect.
>
> This is all related to the fundamental workings of HTTP.
>
> HTTP is an integral part of how the web works - anyone thinking of
> designing a website (especially using scripting languages, servlets, or
> anyone trying to provide any type of security) should understand at
> least the fundamentals of HTTP.
>
> -Erik
>
> Christopher Schultz wrote:
>
>> All,
>>
>>> It would be <img src="http://yourserver/yourservlet?param=paramValue"
>>> alt="something">
>>
>>
>> This still doesn't answer the "original" interpreted question. I don't
>> think it's possible to display an image on a page and prevent users
>> from browsing to it directly from their browser.
>>
>> The only thing I can think of is to check the REFERER header to see if
>> it came from the page on which you want to display it. That's also not
>> foolproof...
>>
>> -chris
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>
>
> --
> http://www.spectacle.ca/
> The Online Source for Live Music in Montreal
> .::514.286.1699::.
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message