tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Gregory" <Rob.Greg...@ibsolutions.com>
Subject RE: Protecting static resources in IIS
Date Tue, 02 Nov 2010 17:45:13 GMT
Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted
user?


> -----Original Message-----
> From: Richard G Curry [mailto:rgcurry@jcpenney.com]
> Sent: 02 November 2010 17:43
> To: Tomcat Users List
> Subject: RE: Protecting static resources in IIS
> 
> What if you put your images into a sub-directory of your app directory --
> something like "images" -- and set the access rights on that directory to be
> only accessible by the SYSTEM account.
> 
> ______________________________________________________________________________
> _________
> «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»
> ______________________________________________________________________________
> _________
> Rick Curry
> Common Services -  Software Development
> E2 - 066, MS 5210
> 972-431-9178 (Voice)
> 972-585-7585 (Pager)
> To send a (short) Text Message to my Pager:
> 9725857585@page.metrocall.com
> 
> -----Original Message-----
> From: Pid * [mailto:pid@pidster.com]
> Sent: Tuesday, November 02, 2010 11:42 AM
> To: Tomcat Users List
> Subject: Re: Protecting static resources in IIS
> 
> On 2 Nov 2010, at 15:48, Siva prakash I V <sivaprakash.iv@gmail.com> wrote:
> 
> > Hi Rob,
> >
> > My app contains a sequence of images like for eg. A/11.gif, A/12.gif, ....
> > A/19.gif, B/21.gif... etc.
> > These images are used to identify a valid user of my app.
> > As these images are easily guessable, it may be easy for anyone to
> > download all possible images and may lead to phishing attack.
> > Having said that I can't place my images in Tomcat and get it served
> > by a servlet( a performance penalty )
> 
> You've presumably conducted some performance tests which led you to this
> conclusion?
> 
> In this case a Servlet Filter which checks the request against the current
> user's credentials and returns a 403 for unauthorised access would be a low
> cost option.
> 
> p
> 
> > and neither I can change my image names to ones which are not easily
> > guessable.
> > My tomcat app jsps should continue using the existing images.
> >
> >
> >
> > On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory
> <Rob.Gregory@ibsolutions.com>wrote:
> >
> >> Hi Siva,
> >>
> >> The only way I know of protecting an 'actual' request for a specific
> >> resource is to remove the resource from the web server. I Can't see
> >> why you would want to stop access to something when it is actually
> >> requested otherwise what would be the point of deploying it (if
> >> nothing can access it). Sorry if I misunderstand the question.
> >>
> >>
> >>> -----Original Message-----
> >>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com]
> >>> Sent: 02 November 2010 14:44
> >>> To: Tomcat Users List
> >>> Subject: Re: Protecting static resources in IIS
> >>>
> >>> Firstly, Thanks for the info.
> >>>
> >>> I've done what you've said.
> >>>
> >>> Consider my directory structure as below in IIS.
> >>>
> >>> <IISROOT>/images/TestDir/A.gif
> >>> <IISROOT>/images/TestDir/index.html  (newly introduced one)
> >>>
> >>> If  I hit the following url, it shows the index.html
> >>> https://<hostname>/images/TestDir/
> >> <https://%3chostname%3e/images/TestDir/>
> >>>
> >>> but if I hit the following url, it shows the image A.gif which needs
> >> to be
> >>> restricted its access.
> >>>
> >>>
> >> https://<hostname>/images/TestDir/A.gif<https://%3chostname%3e/images
> >> /Te
> >> stDir/
> >>> A.gif>
> >>>
> >>> Please let me know if this can be resolved.
> >>>
> >>>
> >>> Thanks,
> >>> Siva Prakash
> >>>
> >>>
> >>> On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory
> >>> <Rob.Gregory@ibsolutions.com>wrote:
> >>>
> >>>> While this is not a forum nor is the mailing list about IIS a quick
> >>>> suggestion and one we implement is to place a blank (or custom)
> >>>> index.html file into every directory within the site. This will
> >>>> then
> >> be
> >>>> served up when requests for resources are received.
> >>>>
> >>>> Hope that helps
> >>>> Rob
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com]
> >>>>> Sent: 02 November 2010 14:08
> >>>>> To: users@tomcat.apache.org
> >>>>> Subject: Protecting static resources in IIS
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> Though I know that this forum is not for IIS related questions,
It
> >>>> will be
> >>>>> great if someone can help me out with the following problem.
> >>>>>
> >>>>> I need to protect the end user's access (thru a url) to the static
> >>>> resources
> >>>>> like images directory in IIS but still allowing my app jsps in
> >> Tomcat
> >>>> ROOT.
> >>>>>
> >>>>>
> >>>>> Thanks,
> >>>>> Siva Prakash
> >>>>
> >>>>
> >> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material.  If the reader of this message is not the intended recipient,
> you are hereby notified that your access is unauthorized, and any review,
> dissemination, distribution or copying of this message including any
> attachments is strictly prohibited.  If you are not the intended
> recipient, please contact the sender and delete the material from any
> computer.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message