Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 62582 invoked from network); 2 Nov 2010 18:12:41 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 2 Nov 2010 18:12:41 -0000 Received: (qmail 28948 invoked by uid 500); 2 Nov 2010 18:13:09 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 28791 invoked by uid 500); 2 Nov 2010 18:13:08 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 28782 invoked by uid 99); 2 Nov 2010 18:13:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Nov 2010 18:13:08 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of rgcurry@jcpenney.com designates 146.235.134.17 as permitted sender) Received: from [146.235.134.17] (HELO colm002.jcpenney.com) (146.235.134.17) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Nov 2010 18:13:04 +0000 X-IronPort-AV: E=Sophos;i="4.58,283,1286168400"; d="scan'208";a="40475431" Received: from unknown (HELO EXCHVS04.corp.jcp.com) ([10.175.178.41]) by colm002-10.jcpenney.com with ESMTP; 02 Nov 2010 13:12:43 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Subject: RE: Protecting static resources in IIS Date: Tue, 2 Nov 2010 14:12:20 -0400 Message-ID: In-Reply-To: <6D8F0A4A19FB2A49815191AC1C2B128E09DBFFE2@UKEXCHANGE1.Europe.iSOFTGroup.co.uk> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Protecting static resources in IIS thread-index: Act6rWLmlDNi5JXnQbmABBs9XCt0WAAARq/wAAHGksAAAPdD4A== References: <6D8F0A4A19FB2A49815191AC1C2B128E09DBFEDF@UKEXCHANGE1.Europe.iSOFTGroup.co.uk> <6D8F0A4A19FB2A49815191AC1C2B128E09DBFF13@UKEXCHANGE1.Europe.iSOFTGroup.co.uk> <7884876715451366394@unknownmsgid> <6D8F0A4A19FB2A49815191AC1C2B128E09DBFFE2@UKEXCHANGE1.Europe.iSOFTGroup.co.uk> From: "Richard G Curry" To: "Tomcat Users List" Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Yes.=20 ___________________________________________________________________________= ____________ =AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB= =A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB=A4= =BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB ___________________________________________________________________________= ____________ Rick Curry Common Services - Software Development E2 - 066, MS 5210 972-431-9178 (Voice) 972-585-7585 (Pager) To send a (short) Text Message to my Pager: 9725857585@page.metrocall.com -----Original Message----- From: Rob Gregory [mailto:Rob.Gregory@ibsolutions.com]=20 Sent: Tuesday, November 02, 2010 12:45 PM To: Tomcat Users List Subject: RE: Protecting static resources in IIS Would that then result in having to run Tomcat/Apache/IIS as root/system ra= ther than a restricted user? > -----Original Message----- > From: Richard G Curry [mailto:rgcurry@jcpenney.com] > Sent: 02 November 2010 17:43 > To: Tomcat Users List > Subject: RE: Protecting static resources in IIS >=20 > What if you put your images into a sub-directory of your app directory=20 > -- something like "images" -- and set the access rights on that=20 > directory to be only accessible by the SYSTEM account. >=20 > ______________________________________________________________________ > ________ > _________ > =AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7= =AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB= =A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4=BB=A7=AB=A4=BB=A5=AB=A4 > =BB=20 > ______________________________________________________________________ > ________ > _________ > Rick Curry > Common Services - Software Development > E2 - 066, MS 5210 > 972-431-9178 (Voice) > 972-585-7585 (Pager) > To send a (short) Text Message to my Pager: > 9725857585@page.metrocall.com >=20 > -----Original Message----- > From: Pid * [mailto:pid@pidster.com] > Sent: Tuesday, November 02, 2010 11:42 AM > To: Tomcat Users List > Subject: Re: Protecting static resources in IIS >=20 > On 2 Nov 2010, at 15:48, Siva prakash I V wrot= e: >=20 > > Hi Rob, > > > > My app contains a sequence of images like for eg. A/11.gif, A/12.gif, .= ... > > A/19.gif, B/21.gif... etc. > > These images are used to identify a valid user of my app. > > As these images are easily guessable, it may be easy for anyone to=20 > > download all possible images and may lead to phishing attack. > > Having said that I can't place my images in Tomcat and get it served=20 > > by a servlet( a performance penalty ) >=20 > You've presumably conducted some performance tests which led you to=20 > this conclusion? >=20 > In this case a Servlet Filter which checks the request against the=20 > current user's credentials and returns a 403 for unauthorised access=20 > would be a low cost option. >=20 > p >=20 > > and neither I can change my image names to ones which are not easily=20 > > guessable. > > My tomcat app jsps should continue using the existing images. > > > > > > > > On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory > wrote: > > > >> Hi Siva, > >> > >> The only way I know of protecting an 'actual' request for a=20 > >> specific resource is to remove the resource from the web server. I=20 > >> Can't see why you would want to stop access to something when it is=20 > >> actually requested otherwise what would be the point of deploying=20 > >> it (if nothing can access it). Sorry if I misunderstand the question. > >> > >> > >>> -----Original Message----- > >>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com] > >>> Sent: 02 November 2010 14:44 > >>> To: Tomcat Users List > >>> Subject: Re: Protecting static resources in IIS > >>> > >>> Firstly, Thanks for the info. > >>> > >>> I've done what you've said. > >>> > >>> Consider my directory structure as below in IIS. > >>> > >>> /images/TestDir/A.gif > >>> /images/TestDir/index.html (newly introduced one) > >>> > >>> If I hit the following url, it shows the index.html=20 > >>> https:///images/TestDir/ > >> > >>> > >>> but if I hit the following url, it shows the image A.gif which=20 > >>> needs > >> to be > >>> restricted its access. > >>> > >>> > >> https:///images/TestDir/A.gif >> es > >> /Te > >> stDir/ > >>> A.gif> > >>> > >>> Please let me know if this can be resolved. > >>> > >>> > >>> Thanks, > >>> Siva Prakash > >>> > >>> > >>> On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory > >>> wrote: > >>> > >>>> While this is not a forum nor is the mailing list about IIS a=20 > >>>> quick suggestion and one we implement is to place a blank (or=20 > >>>> custom) index.html file into every directory within the site.=20 > >>>> This will then > >> be > >>>> served up when requests for resources are received. > >>>> > >>>> Hope that helps > >>>> Rob > >>>> > >>>>> -----Original Message----- > >>>>> From: Siva prakash I V [mailto:sivaprakash.iv@gmail.com] > >>>>> Sent: 02 November 2010 14:08 > >>>>> To: users@tomcat.apache.org > >>>>> Subject: Protecting static resources in IIS > >>>>> > >>>>> Hi, > >>>>> > >>>>> Though I know that this forum is not for IIS related questions,=20 > >>>>> It > >>>> will be > >>>>> great if someone can help me out with the following problem. > >>>>> > >>>>> I need to protect the end user's access (thru a url) to the=20 > >>>>> static > >>>> resources > >>>>> like images directory in IIS but still allowing my app jsps in > >> Tomcat > >>>> ROOT. > >>>>> > >>>>> > >>>>> Thanks, > >>>>> Siva Prakash > >>>> > >>>> > >> ------------------------------------------------------------------- > >> -- > >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >>>> For additional commands, e-mail: users-help@tomcat.apache.org > >>>> > >>>> > >> > >> ------------------------------------------------------------------- > >> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >> >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org >=20 > The information transmitted is intended only for the person or entity=20 > to which it is addressed and may contain confidential and/or=20 > privileged material. If the reader of this message is not the=20 > intended recipient, you are hereby notified that your access is=20 > unauthorized, and any review, dissemination, distribution or copying=20 > of this message including any attachments is strictly prohibited. If=20 > you are not the intended recipient, please contact the sender and=20 > delete the material from any computer. >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged=20 material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any=20 attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org