Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E98DA9B98 for ; Wed, 2 Nov 2011 08:25:30 +0000 (UTC) Received: (qmail 31695 invoked by uid 500); 2 Nov 2011 08:25:27 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 31576 invoked by uid 500); 2 Nov 2011 08:25:27 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 31567 invoked by uid 99); 2 Nov 2011 08:25:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2011 08:25:27 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of pid@pidster.com designates 209.85.212.45 as permitted sender) Received: from [209.85.212.45] (HELO mail-vw0-f45.google.com) (209.85.212.45) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2011 08:25:21 +0000 Received: by vws17 with SMTP id 17so2492524vws.18 for ; Wed, 02 Nov 2011 01:25:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pidster.com; s=google; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :content-type; bh=M1Zy5cE+vRE4aChHE+c/+PQxpBLh3fxGkjChqY0BEgU=; b=lN+9Il4qQimjWRxq9z2jgjndH7hNVPmOW1bTaloBnvTJK5Z/wLWGwj6G1bqRp9cmWC HDm9rj4XPmy/8PO0hMSuZnqVXrWzV4I2eZcQk1PDpBL0fCnBVw7jl8lSvWyEJIiT7kEV lI5OJB/aRq5sW6jNhFhPADAVA07aAOnKOdwos= Received: by 10.52.68.240 with SMTP id z16mr3315502vdt.120.1320222301051; Wed, 02 Nov 2011 01:25:01 -0700 (PDT) References: <4EAECB8B.7000609@ice-sa.com> <4EAEE7E1.3030600@christopherschultz.net> From: "Pid *" In-Reply-To: <4EAEE7E1.3030600@christopherschultz.net> Mime-Version: 1.0 (1.0) Date: Wed, 2 Nov 2011 08:24:55 +0000 Message-ID: <3546031746380909772@unknownmsgid> Subject: Re: Filter by HTTP_REFERER To: Tomcat Users List Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org On 31 Oct 2011, at 18:25, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Richardo, > > On 10/31/2011 12:33 PM, Ricardo Bayley wrote: >> You are right. What I intend to do is prevent hot linking. > > We get what you are trying to do: you'll just have to write your own > code to do it. Tomcat ships with a Filter called RequestFilter that > you can subclass if you need that kind of flexibility. If you don't > need such flexibility, just write it yourself: it's pretty much a > one-liner. It'll still be fragile and open to exploitation. An AJAX call can set any request headers it likes. You be better off using authentication if you want anything more than a casual defence. p > >> My webapp, is working as a REST webservice. >> >> So I would like to have tomcat reply only when requests come from >> specific sites. > > You mean when the requests are referred from specific sites, right? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk6u5+EACgkQ9CaO5/Lv0PAy+QCgxBUvXjXAcLcNR8MIOO6L4+0N > J98AoJbIlVQG9a/IfgICHPi1gqIsR2y7 > =uQ+h > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org