At 10:29 AM 6/9/2003, Dean Fantham wrote:
> The only potential method that can catch most (but not all) of these
> would be to create a separate image handling jsp/servlet, say
> imageHandler. When imageHanlder servlet recieves an image request it
> can check the http-referrer header and ensure that the referrer is the
> url of the page to which the images are supposed to load, i.e. is the
> page containing the images in /servlet/somepage then the http-referrer
> that imageHandler see should be able to checked that it is
> /servlet/somepage. Someone can circumvent this control by the Internet,
> but just manually setting this header themselves (via a program or the
> like) and then having access directly to the images
>
> You would then have to update all image referrences on the somepage
> servelt/jsp however to something like <img
> src="/servlet/imagehandler?gif=somerefernce">.
This may not work, since there may be Browsers out there, that do not sent a
referer or a forged referer String (e.g. privoxy is a proxy that can change
referers, cookies...)
Justin Ruthenbeck:
> Without more information about the intended application, this discussion
> will continue to become more academic and less directly useful ... but,
> really, what's wrong with that? ;)
>
> If your app needs to serve images for non-authenticated users, but you want
> to approximate security (as if you're trying to avoid direct links to your
> images, as someone else had surmised), another option is to issue
> time-sensitive keys with your generated HTML such that your <img> tags look
> like:
>
> <img src="/imgSentinel/images/nolinking.jpg?key=f5c76x>
>
> where "imgSentinel" is your servlet that controls access,
> "/images/nolinking.jpg" is your protected resource, and "f5c78x" is a key
> that the servlet or jsp generating this code has created and stored. Such
> a key would be valid for, say, 60 seconds during which imgSentinel would
> grant access.
This approach is better since the authentification is done on the server side
not requiring any tecnical funtionality on the clientside.
Ciao
Jens Skripczynski
--
E-Mail: skripi-lists(at)myrealbox(dot)com
Always say what I really think. But nowadays this is a serious error
since one risks being misunderstood.
-- Oscar Wild
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
