tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Yarrow <yar...@best.com>
Subject Re: Tomcat Security
Date Sat, 28 Oct 2006 00:00:32 GMT
Chris, Chuck

The short answer is: if URL's are filtered first, then the actual location
DefaultServlet will need to use is not visible in any of the html.
Only for the authenticated serves will  getPathInfo() be appropriately
adjusted and then passed to DefaultServlet.

Silly question for Maurice: why are you trying to protect your images?
Do you want to stop people from ripping them off from your site?

It's not my call, but the customer's.

Maurice


Christopher Schultz wrote:

>Chuck,
>
>Caldarale, Charles R wrote:
>  
>
>>>From: Maurice Yarrow [mailto:yarrow@best.com] 
>>>Subject: Re: Tomcat Security
>>>
>>>What I currently do is serve the static content from elsewhere,
>>>outside the tomcat/webapps tree.
>>>      
>>>
>>You still end up having to map the request to some resource location
>>on the server, and I don't see any way to prevent the end user from
>>manually entering the equivalent URL.  You could obfuscate, but not
>>prevent.
>>    
>>
>
>There's another way to raise the barrier, but it's still not completely
>impenetrable: use the referer header.
>
>With the notable exception of Lynx, pretty much all web browsers include
>the "Referer" (sic) header when making requests where sending such a
>header makes sense. When an image is being loaded into a page, the
>referer /should/ be set by the browser.
>
>You can check to make sure that the referer header matches one of your
>own URLs and complain if it doesn't match.
>
>There are still ways around this (including crafting GET requests
>without using a browser at all), but it can help a little bit.
>
>Silly question for Maurice: why are you trying to protect your images?
>Do you want to stop people from ripping them off from your site?
>
>-chris
>
>
>  
>



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message