On Sun, Apr 19, 2009 at 7:37 AM, André Warnier <a...@ice-sa.com> wrote:
> But basing the acceptance or rejection on a HTTP request header sent by the > browser is not absolutely secure, in the sense that this can easily be faked > using any HTTP client agent such as wget, curl, lwp-request etc.. True. But it seems relatively trivial to write a filter that would add the originating IP of each request for the base resource, e.g. 'foo.html', to an in-memory list. Then requests for the targeted resource, e.g. 'bar.jpg', can be easily checked against that list and rejected if the request IP isn't present. FWIW, -- Hassan Schroeder ------------------------ hassan.schroe...@gmail.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
