tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat Security
Date Fri, 27 Oct 2006 21:43:21 GMT
Chuck,

Caldarale, Charles R wrote:
>> From: Maurice Yarrow [mailto:yarrow@best.com] 
>> Subject: Re: Tomcat Security
>>
>> What I currently do is serve the static content from elsewhere,
>> outside the tomcat/webapps tree.
> 
> You still end up having to map the request to some resource location
> on the server, and I don't see any way to prevent the end user from
> manually entering the equivalent URL.  You could obfuscate, but not
> prevent.

There's another way to raise the barrier, but it's still not completely
impenetrable: use the referer header.

With the notable exception of Lynx, pretty much all web browsers include
the "Referer" (sic) header when making requests where sending such a
header makes sense. When an image is being loaded into a page, the
referer /should/ be set by the browser.

You can check to make sure that the referer header matches one of your
own URLs and complain if it doesn't match.

There are still ways around this (including crafting GET requests
without using a browser at all), but it can help a little bit.

Silly question for Maurice: why are you trying to protect your images?
Do you want to stop people from ripping them off from your site?

-chris



Mime
View raw message