• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to restrict access to image folders

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi
I have developed an application using JSP's and have deployed it on apache tomcat 5.5.24.My application uses images which are stored in a folder named images,the hierarchy is as follows context>dept>branch>images>
The problem i face is that i am able to access the images directly by typing the url in the browser.can anyone please tell me how to restrict access to this folder by others??
[ June 03, 2008: Message edited by: Bear Bibeault ]
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is not Tomcat-specific, so I'm moving it to the Servlets forum.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can't. The images must be browser-addressable so that the browser can fetch them for display.

What are you really trying to accomplish? If you are trying to keep people from downloading the images, just give that up. It's not possible.
 
nick sharma
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I thought the settings are in tomcat server itself.can you please help me with the solution.i dont want to use servlets for my solution.have to use JSP only.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What solution? As I said, if the images aren't addressable by URL, they cannot be shown in the browser.
 
nick sharma
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
ok is there any way of securing the images.i dont want people to download images,is there a way of encrypting the location of the images??there must be something which would prevent people from downloading images off the server??
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by nick sharma:
have to use JSP only.


You're kidding.

Regardless, there is no solution, but I'll move this to the JSP forum in any case.
[ June 03, 2008: Message edited by: Bear Bibeault ]
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by nick sharma:
there must be something which would prevent people from downloading images off the server


There is not.

At least not if you want the images to be shown on the browser.

If you are trying to protect proprietary works, the solution is usually to watermark the images so that down-loading them is not useful.

What's the scenario you are trying to protect?
 
nick sharma
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks for bearing with me,the thing is that my application will be used by college students and authorities.there might be a few students who would figure out how to get hold of the staff and other student images off the server and misuse them.i am just trying avoid any unwanted scenarios.so will there be anythin i can do to protect the images??
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are these images visible on pages that can be seen by the people you are afraid will misuse them? Do you have any sort of login authentication that can be used to determine who can see what?

Again, if its visible on a page it's already been downloaded!
[ June 03, 2008: Message edited by: Bear Bibeault ]
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As Bear mentioned, nobody can see the images if they can't be downloaded to the client.

If you want to restrict access to particular users, You could store them under WEB-INF and the stream them to those users who are allowed to see them.
You won't be able to stream them using JSP so you might need to get an exception made to JSP Only rule for this one case.

The good news is that we have a demo application that does just this in our CodeBarn

Check out:
http://faq.javaranch.com/java/CodeBarnSimpleStream
[ June 03, 2008: Message edited by: Ben Souther ]
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
P.S. You can turn off directory listings so that it's harder for them to find out what's there. But if they have a URL (such as cutting out of the HRML source), they can get to the image unless there's an authentication scenario present.
 
nick sharma
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yes i use a login authentication for everybody,only people who have logged in can see their images on their homepage,but the images folder is open right so anyone who can add 2+2 can actually type the url to the images folder and download images from there.cant put a login on that can i??
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ben Souther:
If you want to restrict access to particular users ...


That's exactly why I asked about authentication. If you know who is who, you can set up a scheme to restrict access. But if you don't, then this is a much harder problem.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, then. Since you have authentication, you can hide the folder, as Ben suggested, behind WEB-INF and access the images through a servlet that checks the authentication. You'll need to figure out a way to identify which images can be seem by which users.

And, you will not be able to use just JSP. In this day and age, why on earth are you not using proper Model 2 web app structure with both servlets and JSP?

P.S. In future posts, please be sure to mention important information such as the user authentication up-front.
[ June 03, 2008: Message edited by: Bear Bibeault ]
 
nick sharma
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
but the login authentication will only make sure that the information for a particular student(in my case) is visble only to him/her but when you talk of the images folder i can type something like http://172.168.154.200:8080/college/images/1234567890.jpeg and wihout even logging in can download the images.
my directory listing is off so no problems on that side,but a student can see the html file and can easily map where other images will be stored right.
every student has a university roll number assigned using which i display their images on their homepage's but any student can type a random roll number and get the image of a particular student which is not acceptable.
I thank you for bearing with me on this problem,i am just trying to make the system perfect.
 
nick sharma
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thank you for your suggestions ben and bear i will definately put proper references like authentication in my future posts.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by nick sharma:
but the login authentication will only make sure that the information for a particular student(in my case) is visble only to him/her but when you talk of the images folder i can type something like http://172.168.154.200:8080/college/images/1234567890.jpeg and wihout even logging in can download the images.
my directory listing is off so no problems on that side,but a student can see the html file and can easily map where other images will be stored right.
every student has a university roll number assigned using which i display their images on their homepage's but any student can type a random roll number and get the image of a particular student which is not acceptable.
I thank you for bearing with me on this problem,i am just trying to make the system perfect.




My first suggestion (streaming the image from behind WEB-INF) would prevent someone from getting the image without the proper credentials (even if they know the exact URL).

You could also write a filter with a mapping that matches the directory structure for your restricted-images folder that checks credentials for each request and sends back a 40x response if the user isn't allowed to view a particular file.

Both solutions would require that you write some non-JSP code but requiring a server side Java app to be written purely with JSP means missing out on most of the best features of this technology.
 
Ranch Hand
Posts: 645
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
every student has a university roll number assigned using which i display their images on their homepage's but any student can type a random roll number and get the image of a particular student which is not acceptable

why to save or show the image with pain roll number you can always save image with encrypted version of roll number so that one has to hack the algorithm to pass in request.

ex say for rollnumber 007 you have image 007.gif called as http://some.domain/app/images/007.gif save this image as SDFE@#$%^12345.gif (some encryption) now i don't think students from your collage will be so pro to find the key for roll number 100.

-P
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic