Would that then result in having to run Tomcat/Apache/IIS as root/system rather than a restricted user?
> -----Original Message----- > From: Richard G Curry [mailto:rgcu...@jcpenney.com] > Sent: 02 November 2010 17:43 > To: Tomcat Users List > Subject: RE: Protecting static resources in IIS > > What if you put your images into a sub-directory of your app directory -- > something like "images" -- and set the access rights on that directory to be > only accessible by the SYSTEM account. > > ______________________________________________________________________________ > _________ > «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤» > ______________________________________________________________________________ > _________ > Rick Curry > Common Services - Software Development > E2 - 066, MS 5210 > 972-431-9178 (Voice) > 972-585-7585 (Pager) > To send a (short) Text Message to my Pager: > 9725857...@page.metrocall.com > > -----Original Message----- > From: Pid * [mailto:p...@pidster.com] > Sent: Tuesday, November 02, 2010 11:42 AM > To: Tomcat Users List > Subject: Re: Protecting static resources in IIS > > On 2 Nov 2010, at 15:48, Siva prakash I V <sivaprakash...@gmail.com> wrote: > > > Hi Rob, > > > > My app contains a sequence of images like for eg. A/11.gif, A/12.gif, .... > > A/19.gif, B/21.gif... etc. > > These images are used to identify a valid user of my app. > > As these images are easily guessable, it may be easy for anyone to > > download all possible images and may lead to phishing attack. > > Having said that I can't place my images in Tomcat and get it served > > by a servlet( a performance penalty ) > > You've presumably conducted some performance tests which led you to this > conclusion? > > In this case a Servlet Filter which checks the request against the current > user's credentials and returns a 403 for unauthorised access would be a low > cost option. > > p > > > and neither I can change my image names to ones which are not easily > > guessable. > > My tomcat app jsps should continue using the existing images. > > > > > > > > On Tue, Nov 2, 2010 at 8:22 PM, Rob Gregory > <rob.greg...@ibsolutions.com>wrote: > > > >> Hi Siva, > >> > >> The only way I know of protecting an 'actual' request for a specific > >> resource is to remove the resource from the web server. I Can't see > >> why you would want to stop access to something when it is actually > >> requested otherwise what would be the point of deploying it (if > >> nothing can access it). Sorry if I misunderstand the question. > >> > >> > >>> -----Original Message----- > >>> From: Siva prakash I V [mailto:sivaprakash...@gmail.com] > >>> Sent: 02 November 2010 14:44 > >>> To: Tomcat Users List > >>> Subject: Re: Protecting static resources in IIS > >>> > >>> Firstly, Thanks for the info. > >>> > >>> I've done what you've said. > >>> > >>> Consider my directory structure as below in IIS. > >>> > >>> <IISROOT>/images/TestDir/A.gif > >>> <IISROOT>/images/TestDir/index.html (newly introduced one) > >>> > >>> If I hit the following url, it shows the index.html > >>> https://<hostname>/images/TestDir/ > >> <https://%3chostname%3e/images/TestDir/> > >>> > >>> but if I hit the following url, it shows the image A.gif which needs > >> to be > >>> restricted its access. > >>> > >>> > >> https://<hostname>/images/TestDir/A.gif<https://%3chostname%3e/images > >> /Te > >> stDir/ > >>> A.gif> > >>> > >>> Please let me know if this can be resolved. > >>> > >>> > >>> Thanks, > >>> Siva Prakash > >>> > >>> > >>> On Tue, Nov 2, 2010 at 7:49 PM, Rob Gregory > >>> <rob.greg...@ibsolutions.com>wrote: > >>> > >>>> While this is not a forum nor is the mailing list about IIS a quick > >>>> suggestion and one we implement is to place a blank (or custom) > >>>> index.html file into every directory within the site. This will > >>>> then > >> be > >>>> served up when requests for resources are received. > >>>> > >>>> Hope that helps > >>>> Rob > >>>> > >>>>> -----Original Message----- > >>>>> From: Siva prakash I V [mailto:sivaprakash...@gmail.com] > >>>>> Sent: 02 November 2010 14:08 > >>>>> To: users@tomcat.apache.org > >>>>> Subject: Protecting static resources in IIS > >>>>> > >>>>> Hi, > >>>>> > >>>>> Though I know that this forum is not for IIS related questions, It > >>>> will be > >>>>> great if someone can help me out with the following problem. > >>>>> > >>>>> I need to protect the end user's access (thru a url) to the static > >>>> resources > >>>>> like images directory in IIS but still allowing my app jsps in > >> Tomcat > >>>> ROOT. > >>>>> > >>>>> > >>>>> Thanks, > >>>>> Siva Prakash > >>>> > >>>> > >> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. If the reader of this message is not the intended recipient, > you are hereby notified that your access is unauthorized, and any review, > dissemination, distribution or copying of this message including any > attachments is strictly prohibited. If you are not the intended > recipient, please contact the sender and delete the material from any > computer. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
