Without more information about the intended application, this discussion will continue to become more academic and less directly useful ... but, really, what's wrong with that? ;)
If your app needs to serve images for non-authenticated users, but you want to approximate security (as if you're trying to avoid direct links to your images, as someone else had surmised), another option is to issue time-sensitive keys with your generated HTML such that your <img> tags look like:
<img src="/imgSentinel/images/nolinking.jpg?key=f5c76x>
where "imgSentinel" is your servlet that controls access, "/images/nolinking.jpg" is your protected resource, and "f5c78x" is a key that the servlet or jsp generating this code has created and stored. Such a key would be valid for, say, 60 seconds during which imgSentinel would grant access.
Note that this is one step further than simply requiring the user to have a valid session before serving the image -- it simply makes it more difficult for people to get at your images, but certainly not impossible.
Anyways, some food for thought... perhaps your solution lies with a little of everything that people have suggested.
justin
At 10:29 AM 6/9/2003, Dean Fantham wrote:
There is no guaranteed way to stop someone directly access a gif image via a browser url, because this is how an image is accessed by the browser itself anyways. The browser just makes a HTTP get request to the web-server (in this case tomcat) requesting the URL of the image to be included in the web page.
i.e. in a standard jsp/servlet response to a web request the image request is embedded in a <img src=".../somedir/some-img.gif">. This is going to cause a browser request directory to the directory containing the image, which can also be duplicated in the browser.
The only potential method that can catch most (but not all) of these would be to create a separate image handling jsp/servlet, say imageHandler. When imageHanlder servlet recieves an image request it can check the http-referrer header and ensure that the referrer is the url of the page to which the images are supposed to load, i.e. is the page containing the images in /servlet/somepage then the http-referrer that imageHandler see should be able to checked that it is /servlet/somepage. Someone can circumvent this control by the Internet, but just manually setting this header themselves (via a program or the like) and then having access directly to the images
You would then have to update all image referrences on the somepage servelt/jsp however to something like <img src="/servlet/imagehandler?gif=somerefernce">.
____________________________________ Justin Ruthenbeck Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential See http://www.nextengine.com/confidentiality.php ____________________________________
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
