A better choice, at least in my mini brainiverse ;-) would be a servlet.
You then map an url pattern and have a 100% transparent solution.
One major benefit is the possibility to exchange the, for eg., file system
based servlet with a DB based one without needing to change even one
line of code in your application. Just modify your web.xml servlet entry
and add the necessary .jar or .class files ...
Only my 2 cents,
Chris
Joe Hertz wrote:
Okay, so I do write the image out. Whew. Very helpful. tx.
I'm writing the files above my app's directory, so as long as tomcat doesn't
let people use ".." in their URL's, I don't see a problem here.
If the Action itself checks for user validity, and the files aren't
accessible any other way, would that be enough?
Problem is, I'm keenly aware that it's what I am NOT anticipating that will
bite me in the arse.
tx again
-J
-----Original Message-----
From: Joćo Vieira da Luz [mailto:[EMAIL PROTECTED]
Sent: Sunday, September 12, 2004 7:09 PM
To: Struts Users Mailing List
Subject: Re: Protecting files question
Hi,
The Blob or file system are very similar in what concerns security.
In the first one you have to do an action that writes the file into
the output stream. Suppose that your files have and action is called
/showFile.
Html should look like this;
<img src="/showFile.do?id=<file id>"></img>
About security:
IMO you have two choices. The first one is to create a HttpFilter that
filters the requests for your files and decide if the remote user has
the privileges to read the file requested.
The second is to implement the preprocess method on Struts
RequestProcessor.
Hope this help you,
Joćo
On Sun, 12 Sep 2004 18:56:13 -0400, Joe Hertz
<[EMAIL PROTECTED]> wrote:
This has probably been asked before. Apologies if so, I
didn't see anything
close enough.
This exact scenario is a bit different and more complicated
than this, but
if this problem can be solved, I can work out the rest.
Say I want people to upload images using html:file, and
have implemented
that successfully.
Now people get to view images (login role and other things
determines what
images they get to see).
But how to protect those files from unauthorized viewing?
I could store the images in BLOB's in the database. That
would achieve
security...But If I do that, how do they get to the user
using the img tag?
Utter guess: This how the action attribute on the tag
works, and I'd write
the file to the output stream in an action??? I can't
imagine that this
would be the right answer (html source would then look like...I have
absolutely no idea)
Alternatively, say I don't want to store them as BLOB's,
and just use the
file system. How do I keep people from potentially pointing
their browsers
at the right URL and viewing files they aren't entitled to see?
How does one build security onto this type of app?
TIA
-Joe
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
