Chuck, Caldarale, Charles R wrote: >> From: Maurice Yarrow [mailto:[EMAIL PROTECTED] >> Subject: Re: Tomcat Security >> >> What I currently do is serve the static content from elsewhere, >> outside the tomcat/webapps tree. > > You still end up having to map the request to some resource location > on the server, and I don't see any way to prevent the end user from > manually entering the equivalent URL. You could obfuscate, but not > prevent.
There's another way to raise the barrier, but it's still not completely impenetrable: use the referer header. With the notable exception of Lynx, pretty much all web browsers include the "Referer" (sic) header when making requests where sending such a header makes sense. When an image is being loaded into a page, the referer /should/ be set by the browser. You can check to make sure that the referer header matches one of your own URLs and complain if it doesn't match. There are still ways around this (including crafting GET requests without using a browser at all), but it can help a little bit. Silly question for Maurice: why are you trying to protect your images? Do you want to stop people from ripping them off from your site? -chris
signature.asc
Description: OpenPGP digital signature
