tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat Security
Date Sat, 28 Oct 2006 20:46:46 GMT

> The answer is the latter:  authentication required.
> In fact, there are three levels of privacy on these images and documents:
>    public:              (everyone can view)
>    passworded:  (password required for viewing: say, your
>                              family only.  This pw specific to these views)
>    private:             (only you, the owner, have access - so only your
>                              login permits you to see these views)
> Presumably, most views are public, but this has to be the owner's
> decision, no ?

If you want to check to see if a remote request for an image is valid,
you will have to run all your images through a servlet in order to
determine authorization.

Since each image could have different authorization settings, you can't
just use the servlet container's built-in authorization (set up in
web.xml). You will have to enforce this yourself.

Just configure your webapp to serve "/images/*" through a servlet that
you write. This servlet will check the permissions on the URI (I'm
assuming that you have this information in a database or other data
store), and then possibly consult the user and/or their relationships to
determine of the request should be served, or if you should return an
"access denied" image instead.

Would that solve your problem?

If so, I think your original question was poorly worded. I think we all
thought you were asking how to prevent downloading of images in general
(which is pretty much impossible... images served by web servers are
designed to be, well, downloaded).


View raw message