tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <...@pidster.com>
Subject Re: Filter by HTTP_REFERER
Date Wed, 02 Nov 2011 08:24:55 GMT
On 31 Oct 2011, at 18:25, Christopher Schultz
<chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Richardo,
>
> On 10/31/2011 12:33 PM, Ricardo Bayley wrote:
>> You are right. What I intend to do is prevent hot linking.
>
> We get what you are trying to do: you'll just have to write your own
> code to do it. Tomcat ships with a Filter called RequestFilter that
> you can subclass if you need that kind of flexibility. If you don't
> need such flexibility, just write it yourself: it's pretty much a
> one-liner.

It'll still be fragile and open to exploitation. An AJAX call can set
any request headers it likes. You be better off using authentication
if you want anything more than a casual defence.


p


>
>> My webapp, is working as a REST webservice.
>>
>> So I would like to have tomcat reply only when requests come from
>> specific sites.
>
> You mean when the requests are referred from specific sites, right?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6u5+EACgkQ9CaO5/Lv0PAy+QCgxBUvXjXAcLcNR8MIOO6L4+0N
> J98AoJbIlVQG9a/IfgICHPi1gqIsR2y7
> =uQ+h
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message