tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard G Curry" <rgcu...@jcpenney.com>
Subject RE: Protecting static resources in IIS
Date Tue, 02 Nov 2010 17:42:56 GMT
What if you put your images into a sub-directory of your app directory -- something like "images"
-- and set the access rights on that directory to be only accessible by the SYSTEM account.

_______________________________________________________________________________________
«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»
_______________________________________________________________________________________
Rick Curry
Common Services -  Software Development
E2 - 066, MS 5210
972-431-9178 (Voice)
972-585-7585 (Pager)
To send a (short) Text Message to my Pager:
9725857585@page.metrocall.com

-----Original Message-----
From: Pid * [mailto:pid@pidster.com] 
Sent: Tuesday, November 02, 2010 11:42 AM
To: Tomcat Users List
Subject: Re: Protecting static resources in IIS

On 2 Nov 2010, at 15:48, Siva prakash I V <sivaprakash.iv@gmail.com> wrote:

> Hi Rob,
>
> My app contains a sequence of images like for eg. A/11.gif, A/12.gif, ....
> A/19.gif, B/21.gif... etc.
> These images are used to identify a valid user of my app.
> As these images are easily guessable, it may be easy for anyone to 
> download all possible images and may lead to phishing attack.
> Having said that I can't place my images in Tomcat and get it served 
> by a servlet( a performance penalty )

You've presumably conducted some performance tests which led you to this conclusion?

In this case a Servlet Filter which checks the request against the current user's credentials
and returns a 403 for unauthorised access would be a low cost option.

p

> and neither I can change my image names to ones which are not easily 
> guessable.
> My tomcat app jsps should continue using the existing images.
>
>
>
> On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory <Rob.Gregory@ibsolutions.com>wrote:
>
>> Hi Siva,
>>
>> The only way I know of protecting an 'actual' request for a specific 
>> resource is to remove the resource from the web server. I Can't see 
>> why you would want to stop access to something when it is actually 
>> requested otherwise what would be the point of deploying it (if 
>> nothing can access it). Sorry if I misunderstand the question.
>>
>>
>>> -----Original Message-----
>>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com]
>>> Sent: 02 November 2010 14:44
>>> To: Tomcat Users List
>>> Subject: Re: Protecting static resources in IIS
>>>
>>> Firstly, Thanks for the info.
>>>
>>> I've done what you've said.
>>>
>>> Consider my directory structure as below in IIS.
>>>
>>> <IISROOT>/images/TestDir/A.gif
>>> <IISROOT>/images/TestDir/index.html  (newly introduced one)
>>>
>>> If  I hit the following url, it shows the index.html 
>>> https://<hostname>/images/TestDir/
>> <https://%3chostname%3e/images/TestDir/>
>>>
>>> but if I hit the following url, it shows the image A.gif which needs
>> to be
>>> restricted its access.
>>>
>>>
>> https://<hostname>/images/TestDir/A.gif<https://%3chostname%3e/images
>> /Te
>> stDir/
>>> A.gif>
>>>
>>> Please let me know if this can be resolved.
>>>
>>>
>>> Thanks,
>>> Siva Prakash
>>>
>>>
>>> On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory
>>> <Rob.Gregory@ibsolutions.com>wrote:
>>>
>>>> While this is not a forum nor is the mailing list about IIS a quick 
>>>> suggestion and one we implement is to place a blank (or custom) 
>>>> index.html file into every directory within the site. This will 
>>>> then
>> be
>>>> served up when requests for resources are received.
>>>>
>>>> Hope that helps
>>>> Rob
>>>>
>>>>> -----Original Message-----
>>>>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com]
>>>>> Sent: 02 November 2010 14:08
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Protecting static resources in IIS
>>>>>
>>>>> Hi,
>>>>>
>>>>> Though I know that this forum is not for IIS related questions, It
>>>> will be
>>>>> great if someone can help me out with the following problem.
>>>>>
>>>>> I need to protect the end user's access (thru a url) to the static
>>>> resources
>>>>> like images directory in IIS but still allowing my app jsps in
>> Tomcat
>>>> ROOT.
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Siva Prakash
>>>>
>>>>
>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged 
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any 
attachments is strictly prohibited.  If you are not the intended
recipient, please contact the sender and delete the material from any
computer.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message