RE: Protecting static resources in IIS
Totally agree with Chuck, I would not recommend running a web server as a root/system user. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 02 November 2010 18:48 To: Tomcat Users List Subject: RE: Protecting static resources in IIS From: Richard G Curry [mailto:rgcu...@jcpenney.com] Subject: RE: Protecting static resources in IIS From: Rob Gregory [mailto:rob.greg...@ibsolutions.com] Subject: RE: Protecting static resources in IIS Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user? Yes. That sounds like a really bad idea. How so? What am I missing? Basic security philosophy, known as the principle of least privilege. Running as root/system is like walking around with a kick me sign; just wait till the hackers break into your IIS box running that way... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Protecting static resources in IIS
While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protecting static resources in IIS
Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/images/TestDir/A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Protecting static resources in IIS
Hi Siva, The only way I know of protecting an 'actual' request for a specific resource is to remove the resource from the web server. I Can't see why you would want to stop access to something when it is actually requested otherwise what would be the point of deploying it (if nothing can access it). Sorry if I misunderstand the question. -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:44 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/images/Te stDir/ A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protecting static resources in IIS
Hi Rob, My app contains a sequence of images like for eg. A/11.gif, A/12.gif, A/19.gif, B/21.gif... etc. These images are used to identify a valid user of my app. As these images are easily guessable, it may be easy for anyone to download all possible images and may lead to phishing attack. Having said that I can't place my images in Tomcat and get it served by a servlet( a performance penalty ) and neither I can change my image names to ones which are not easily guessable. My tomcat app jsps should continue using the existing images. On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: Hi Siva, The only way I know of protecting an 'actual' request for a specific resource is to remove the resource from the web server. I Can't see why you would want to stop access to something when it is actually requested otherwise what would be the point of deploying it (if nothing can access it). Sorry if I misunderstand the question. -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:44 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/images/Te stDir/ A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protecting static resources in IIS
On Tue, 2 Nov 2010 21:18:02 +0530, Siva prakash I V sivaprakash...@gmail.com wrote: My app contains a sequence of images like for eg. A/11.gif, A/12.gif, A/19.gif, B/21.gif... etc. These images are used to identify a valid user of my app. As these images are easily guessable, it may be easy for anyone to download all possible images and may lead to phishing attack. Having said that I can't place my images in Tomcat and get it served by a servlet( a performance penalty ) and neither I can change my image names to ones which are not easily guessable. My tomcat app jsps should continue using the existing images. Smells like security by obscurity... Hint: how do you want your legitimate clients to access those images if they are well protected? -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Protecting static resources in IIS
Are you trying to implement some form of Capatcha to stop automated attacks against a logon screen or something similar? If so there is a nice opensource one @ http://jcaptcha.sourceforge.net/ and an alternative from Google http://www.captcha.net/ which support audio (but requires an internet connection and an account). I implemented both so that when the required credentials are available it uses the google one and degrades to the JCaptcha one which works very nice. Otherwise it sounds like you need a security filter within tomcat and let Tomcat serve up these images. Tomcat in my opinion is just as good at serving static content as Apache or IIS is. Regards Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 15:48 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Hi Rob, My app contains a sequence of images like for eg. A/11.gif, A/12.gif, A/19.gif, B/21.gif... etc. These images are used to identify a valid user of my app. As these images are easily guessable, it may be easy for anyone to download all possible images and may lead to phishing attack. Having said that I can't place my images in Tomcat and get it served by a servlet( a performance penalty ) and neither I can change my image names to ones which are not easily guessable. My tomcat app jsps should continue using the existing images. On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: Hi Siva, The only way I know of protecting an 'actual' request for a specific resource is to remove the resource from the web server. I Can't see why you would want to stop access to something when it is actually requested otherwise what would be the point of deploying it (if nothing can access it). Sorry if I misunderstand the question. -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:44 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/images/Te stDir/ A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protecting static resources in IIS
On 2 Nov 2010, at 15:48, Siva prakash I V sivaprakash...@gmail.com wrote: Hi Rob, My app contains a sequence of images like for eg. A/11.gif, A/12.gif, A/19.gif, B/21.gif... etc. These images are used to identify a valid user of my app. As these images are easily guessable, it may be easy for anyone to download all possible images and may lead to phishing attack. Having said that I can't place my images in Tomcat and get it served by a servlet( a performance penalty ) You've presumably conducted some performance tests which led you to this conclusion? In this case a Servlet Filter which checks the request against the current user's credentials and returns a 403 for unauthorised access would be a low cost option. p and neither I can change my image names to ones which are not easily guessable. My tomcat app jsps should continue using the existing images. On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: Hi Siva, The only way I know of protecting an 'actual' request for a specific resource is to remove the resource from the web server. I Can't see why you would want to stop access to something when it is actually requested otherwise what would be the point of deploying it (if nothing can access it). Sorry if I misunderstand the question. -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:44 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/images/Te stDir/ A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Protecting static resources in IIS
What if you put your images into a sub-directory of your app directory -- something like images -- and set the access rights on that directory to be only accessible by the SYSTEM account. ___ «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤» ___ Rick Curry Common Services - Software Development E2 - 066, MS 5210 972-431-9178 (Voice) 972-585-7585 (Pager) To send a (short) Text Message to my Pager: 9725857...@page.metrocall.com -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Tuesday, November 02, 2010 11:42 AM To: Tomcat Users List Subject: Re: Protecting static resources in IIS On 2 Nov 2010, at 15:48, Siva prakash I V sivaprakash...@gmail.com wrote: Hi Rob, My app contains a sequence of images like for eg. A/11.gif, A/12.gif, A/19.gif, B/21.gif... etc. These images are used to identify a valid user of my app. As these images are easily guessable, it may be easy for anyone to download all possible images and may lead to phishing attack. Having said that I can't place my images in Tomcat and get it served by a servlet( a performance penalty ) You've presumably conducted some performance tests which led you to this conclusion? In this case a Servlet Filter which checks the request against the current user's credentials and returns a 403 for unauthorised access would be a low cost option. p and neither I can change my image names to ones which are not easily guessable. My tomcat app jsps should continue using the existing images. On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: Hi Siva, The only way I know of protecting an 'actual' request for a specific resource is to remove the resource from the web server. I Can't see why you would want to stop access to something when it is actually requested otherwise what would be the point of deploying it (if nothing can access it). Sorry if I misunderstand the question. -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:44 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/images /Te stDir/ A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer. - To unsubscribe, e
RE: Protecting static resources in IIS
Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user? -Original Message- From: Richard G Curry [mailto:rgcu...@jcpenney.com] Sent: 02 November 2010 17:43 To: Tomcat Users List Subject: RE: Protecting static resources in IIS What if you put your images into a sub-directory of your app directory -- something like images -- and set the access rights on that directory to be only accessible by the SYSTEM account. __ _ «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤» __ _ Rick Curry Common Services - Software Development E2 - 066, MS 5210 972-431-9178 (Voice) 972-585-7585 (Pager) To send a (short) Text Message to my Pager: 9725857...@page.metrocall.com -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Tuesday, November 02, 2010 11:42 AM To: Tomcat Users List Subject: Re: Protecting static resources in IIS On 2 Nov 2010, at 15:48, Siva prakash I V sivaprakash...@gmail.com wrote: Hi Rob, My app contains a sequence of images like for eg. A/11.gif, A/12.gif, A/19.gif, B/21.gif... etc. These images are used to identify a valid user of my app. As these images are easily guessable, it may be easy for anyone to download all possible images and may lead to phishing attack. Having said that I can't place my images in Tomcat and get it served by a servlet( a performance penalty ) You've presumably conducted some performance tests which led you to this conclusion? In this case a Servlet Filter which checks the request against the current user's credentials and returns a 403 for unauthorised access would be a low cost option. p and neither I can change my image names to ones which are not easily guessable. My tomcat app jsps should continue using the existing images. On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: Hi Siva, The only way I know of protecting an 'actual' request for a specific resource is to remove the resource from the web server. I Can't see why you would want to stop access to something when it is actually requested otherwise what would be the point of deploying it (if nothing can access it). Sorry if I misunderstand the question. -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:44 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/images /Te stDir/ A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader
RE: Protecting static resources in IIS
Yes. ___ «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤» ___ Rick Curry Common Services - Software Development E2 - 066, MS 5210 972-431-9178 (Voice) 972-585-7585 (Pager) To send a (short) Text Message to my Pager: 9725857...@page.metrocall.com -Original Message- From: Rob Gregory [mailto:rob.greg...@ibsolutions.com] Sent: Tuesday, November 02, 2010 12:45 PM To: Tomcat Users List Subject: RE: Protecting static resources in IIS Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user? -Original Message- From: Richard G Curry [mailto:rgcu...@jcpenney.com] Sent: 02 November 2010 17:43 To: Tomcat Users List Subject: RE: Protecting static resources in IIS What if you put your images into a sub-directory of your app directory -- something like images -- and set the access rights on that directory to be only accessible by the SYSTEM account. __ _ «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤ » __ _ Rick Curry Common Services - Software Development E2 - 066, MS 5210 972-431-9178 (Voice) 972-585-7585 (Pager) To send a (short) Text Message to my Pager: 9725857...@page.metrocall.com -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Tuesday, November 02, 2010 11:42 AM To: Tomcat Users List Subject: Re: Protecting static resources in IIS On 2 Nov 2010, at 15:48, Siva prakash I V sivaprakash...@gmail.com wrote: Hi Rob, My app contains a sequence of images like for eg. A/11.gif, A/12.gif, A/19.gif, B/21.gif... etc. These images are used to identify a valid user of my app. As these images are easily guessable, it may be easy for anyone to download all possible images and may lead to phishing attack. Having said that I can't place my images in Tomcat and get it served by a servlet( a performance penalty ) You've presumably conducted some performance tests which led you to this conclusion? In this case a Servlet Filter which checks the request against the current user's credentials and returns a 403 for unauthorised access would be a low cost option. p and neither I can change my image names to ones which are not easily guessable. My tomcat app jsps should continue using the existing images. On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: Hi Siva, The only way I know of protecting an 'actual' request for a specific resource is to remove the resource from the web server. I Can't see why you would want to stop access to something when it is actually requested otherwise what would be the point of deploying it (if nothing can access it). Sorry if I misunderstand the question. -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:44 To: Tomcat Users List Subject: Re: Protecting static resources in IIS Firstly, Thanks for the info. I've done what you've said. Consider my directory structure as below in IIS. IISROOT/images/TestDir/A.gif IISROOT/images/TestDir/index.html (newly introduced one) If I hit the following url, it shows the index.html https://hostname/images/TestDir/ https://%3chostname%3e/images/TestDir/ but if I hit the following url, it shows the image A.gif which needs to be restricted its access. https://hostname/images/TestDir/A.gifhttps://%3chostname%3e/imag es /Te stDir/ A.gif Please let me know if this can be resolved. Thanks, Siva Prakash On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory rob.greg...@ibsolutions.comwrote: While this is not a forum nor is the mailing list about IIS a quick suggestion and one we implement is to place a blank (or custom) index.html file into every directory within the site. This will then be served up when requests for resources are received. Hope that helps Rob -Original Message- From: Siva prakash I V [mailto:sivaprakash...@gmail.com] Sent: 02 November 2010 14:08 To: users@tomcat.apache.org Subject: Protecting static resources in IIS Hi, Though I know that this forum is not for IIS related questions, It will be great if someone can help me out with the following problem. I need to protect the end user's access (thru a url) to the static resources like images directory in IIS but still allowing my app jsps in Tomcat ROOT. Thanks, Siva Prakash --- -- To unsubscribe, e-mail
RE: Protecting static resources in IIS
From: Richard G Curry [mailto:rgcu...@jcpenney.com] Subject: RE: Protecting static resources in IIS From: Rob Gregory [mailto:rob.greg...@ibsolutions.com] Subject: RE: Protecting static resources in IIS Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user? Yes. That sounds like a really bad idea. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Protecting static resources in IIS
How so? What am I missing? ___ «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤» ___ Rick Curry Common Services - Software Development E2 - 066, MS 5210 972-431-9178 (Voice) 972-585-7585 (Pager) To send a (short) Text Message to my Pager: 9725857...@page.metrocall.com -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, November 02, 2010 1:33 PM To: Tomcat Users List Subject: RE: Protecting static resources in IIS From: Richard G Curry [mailto:rgcu...@jcpenney.com] Subject: RE: Protecting static resources in IIS From: Rob Gregory [mailto:rob.greg...@ibsolutions.com] Subject: RE: Protecting static resources in IIS Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user? Yes. That sounds like a really bad idea. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Protecting static resources in IIS
From: Richard G Curry [mailto:rgcu...@jcpenney.com] Subject: RE: Protecting static resources in IIS From: Rob Gregory [mailto:rob.greg...@ibsolutions.com] Subject: RE: Protecting static resources in IIS Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user? Yes. That sounds like a really bad idea. How so? What am I missing? Basic security philosophy, known as the principle of least privilege. Running as root/system is like walking around with a kick me sign; just wait till the hackers break into your IIS box running that way... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Protecting static resources in IIS
Good point -- one I did not consider as in my realm of reference I am in a secured zone -- no outside access. Makes a big difference. ___ «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤» ___ Rick Curry Common Services - Software Development E2 - 066, MS 5210 972-431-9178 (Voice) 972-585-7585 (Pager) To send a (short) Text Message to my Pager: 9725857...@page.metrocall.com -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, November 02, 2010 1:48 PM To: Tomcat Users List Subject: RE: Protecting static resources in IIS From: Richard G Curry [mailto:rgcu...@jcpenney.com] Subject: RE: Protecting static resources in IIS From: Rob Gregory [mailto:rob.greg...@ibsolutions.com] Subject: RE: Protecting static resources in IIS Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user? Yes. That sounds like a really bad idea. How so? What am I missing? Basic security philosophy, known as the principle of least privilege. Running as root/system is like walking around with a kick me sign; just wait till the hackers break into your IIS box running that way... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org