tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <...@pidster.com>
Subject Re: Protecting static resources in IIS
Date Tue, 02 Nov 2010 16:42:05 GMT
On 2 Nov 2010, at 15:48, Siva prakash I V <sivaprakash.iv@gmail.com> wrote:

> Hi Rob,
>
> My app contains a sequence of images like for eg. A/11.gif, A/12.gif, ....
> A/19.gif, B/21.gif... etc.
> These images are used to identify a valid user of my app.
> As these images are easily guessable, it may be easy for anyone to download
> all possible images and may lead to phishing attack.
> Having said that I can't place my images in Tomcat and get it served by a
> servlet( a performance penalty )

You've presumably conducted some performance tests which led you to
this conclusion?

In this case a Servlet Filter which checks the request against the
current user's credentials and returns a 403 for unauthorised access
would be a low cost option.

p

> and neither I can change my image names to
> ones which are not easily guessable.
> My tomcat app jsps should continue using the existing images.
>
>
>
> On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory <Rob.Gregory@ibsolutions.com>wrote:
>
>> Hi Siva,
>>
>> The only way I know of protecting an 'actual' request for a specific
>> resource is to remove the resource from the web server. I Can't see why
>> you would want to stop access to something when it is actually requested
>> otherwise what would be the point of deploying it (if nothing can access
>> it). Sorry if I misunderstand the question.
>>
>>
>>> -----Original Message-----
>>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com]
>>> Sent: 02 November 2010 14:44
>>> To: Tomcat Users List
>>> Subject: Re: Protecting static resources in IIS
>>>
>>> Firstly, Thanks for the info.
>>>
>>> I've done what you've said.
>>>
>>> Consider my directory structure as below in IIS.
>>>
>>> <IISROOT>/images/TestDir/A.gif
>>> <IISROOT>/images/TestDir/index.html  (newly introduced one)
>>>
>>> If  I hit the following url, it shows the index.html
>>> https://<hostname>/images/TestDir/
>> <https://%3chostname%3e/images/TestDir/>
>>>
>>> but if I hit the following url, it shows the image A.gif which needs
>> to be
>>> restricted its access.
>>>
>>>
>> https://<hostname>/images/TestDir/A.gif<https://%3chostname%3e/images/Te
>> stDir/
>>> A.gif>
>>>
>>> Please let me know if this can be resolved.
>>>
>>>
>>> Thanks,
>>> Siva Prakash
>>>
>>>
>>> On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory
>>> <Rob.Gregory@ibsolutions.com>wrote:
>>>
>>>> While this is not a forum nor is the mailing list about IIS a quick
>>>> suggestion and one we implement is to place a blank (or custom)
>>>> index.html file into every directory within the site. This will then
>> be
>>>> served up when requests for resources are received.
>>>>
>>>> Hope that helps
>>>> Rob
>>>>
>>>>> -----Original Message-----
>>>>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com]
>>>>> Sent: 02 November 2010 14:08
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Protecting static resources in IIS
>>>>>
>>>>> Hi,
>>>>>
>>>>> Though I know that this forum is not for IIS related questions, It
>>>> will be
>>>>> great if someone can help me out with the following problem.
>>>>>
>>>>> I need to protect the end user's access (thru a url) to the static
>>>> resources
>>>>> like images directory in IIS but still allowing my app jsps in
>> Tomcat
>>>> ROOT.
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Siva Prakash
>>>>
>>>>
>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message