• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Hiding URL from source

 
Thomas Greene
Ranch Hand
Posts: 127
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my JSP page, I have the following

<a href='http://63.125.154.169:8080/private/Stream?uid=c0a8cc1173957eac2-7f22&quality=IM'><img src='../images/listen.gif' /></a>

When the user clicks on the link, the relevant file is opened. But the problem is that user can see the actual path in source as well as status bar. Since this is paid content we want to avoid it. Please let me know how this can be done.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it's paid content, merely hiding the URL would be insufficient.

You should put the content in a directory that can't be seen directly from the
web. Then, write a servlet that streams the content to the browser after checking for a valid login. We have an example app in our CodeBarn that streams images from under the WEB-INF directory (which is not directly accessible from the web). Look for SimpleStream
All you'd need to do is add the security check.

Alternatively, you could write a filter that checks for a valid login before allowing access to anything, static or dynamic. This way you won't have to care if people know the URL because, without a valid login, they won't be able to get to the content anyway.

On my own site, I have an application with a filter that does this.
http://simple.souther.us/not-so-simple.html
Look for SessionMonitor.
The point of the app is to show how to track users but it has a filter that forwards the user to the login screen if they try to hit anything in the app without being logged in (including images, or static HTML pages.)
 
Kishore Dandu
Ranch Hand
Posts: 1934
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Along the lines of above, is there a way to render the image but hide the location even if the image file is not under the WEB-INF directory?
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Trying to hide URLs and images sounds suspicious to me.

As mentioned, the application should be designed with the proper security to prevent unauthorized access. Aside, hiding URLs does not qualify as "proper" security.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64173
83
IntelliJ IDE Java jQuery Mac Mac OS X
 
Kishore Dandu
Ranch Hand
Posts: 1934
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by James Clark:
Trying to hide URLs and images sounds suspicious to me.

As mentioned, the application should be designed with the proper security to prevent unauthorized access. Aside, hiding URLs does not qualify as "proper" security.


Why not?
Example: Requirement is to render the image for user reference; but not allow direct access to the image through a URL(like signature for a credit card transaction)

[ July 08, 2008: Message edited by: Kishore Dandu ]
[ July 08, 2008: Message edited by: Kishore Dandu ]
 
Paul Clapham
Sheriff
Pie
Posts: 20164
24
MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can do things like requiring authorization, as already suggested. You can check things like the referer (the page which sent the request) or the user agent (the name of the browser which sent the request) as well, but both of those things can be forged by a program. The bottom line is, you can't tell whether a request came from a browser or from a well-written program pretending to be a browser. You can just catch the not-so-well-written programs.
 
Paul Clapham
Sheriff
Pie
Posts: 20164
24
MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Oh yeah. There are also Javascript tricks like having the link open in a new window with no address bar (so the address isn't visible). But again, that just hides the URL from the casual violator. The determined violator can find it easily by using (for example) the Live HTTP Headers plugin in Firefox to examine the headers of all the requests sent. Or by right-clicking the link and making it open in a tab instead of a window... there are plenty of ways to defeat that.
 
Kishore Dandu
Ranch Hand
Posts: 1934
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
can i use a filter mechanism??

I can pre-define like www.123.com/... not to render in case not coming from www.123.com/xyz.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64173
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can try. But knowing where it's coming from is not 100% guaranteed. You'll only be keeping out the people who don't want the material badly. Anyone who really wants it can probably spoof the system.

What are you really trying to accomplish?
 
Kishore Dandu
Ranch Hand
Posts: 1934
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
You can try. But knowing where it's coming from is not 100% guaranteed. You'll only be keeping out the people who don't want the material badly. Anyone who really wants it can probably spoof the system.

What are you really trying to accomplish?


The requirement is to allow rendering image abc.png in a jsp file. But, if the user tries to render the same png by itself, we should stop them from doing that. The png url will be like www.abc.com/cgi-bin/1234.png
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64173
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But why?
 
Kishore Dandu
Ranch Hand
Posts: 1934
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
But why?


Let me rephrase a bit. It is a signature image. It is actually rendered by invoking xyz.com/cgi-bin/param123. It is placed in a JSP for user to see. But we do not want user to remember this url and look at the signature later, by rendering itself.
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
http://chart.apis.google.com/chart?cht=p3&chd=t:10.0,58.0,95.0,30.0,8.0,63.0&chs=450x200&chl=Hello|World|New

The Google service above creates the image at runtime. Pretty fancy stuff, I think. There is no "image file" to hide. No "Source" to look at.
[ July 09, 2008: Message edited by: James Clark ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64173
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But even with images created on-the-fly, the image can be copied from the browser easily. Is this a concern? Or are you just concerned with later hits to the URL?
 
Paul Clapham
Sheriff
Pie
Posts: 20164
24
MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm wondering what "later" means. Is there some time cutoff after which the user shouldn't be able to see the image any more? Or should they only be shown it once? Or should they only be shown it in some context?
 
Kishore Dandu
Ranch Hand
Posts: 1934
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
But even with images created on-the-fly, the image can be copied from the browser easily. Is this a concern? Or are you just concerned with later hits to the URL?


Concerns are with the later hits to the url of the image.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64173
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK, if all you are concerned with is making it so that you can only visit the URL once, maybe this would work for you:

1) In the page controller for the page in which the image will appear, generate a random token (could be anything random)
2) Place this token in the session.
3) When generating the URL for the <img> tag that references the servlet that will serve up the image data, add the token as a request parameter.
4) When the image-serving servlet is called, check that the parameter exists and matches the one in the session. Only serve the image if it matches.
5) Remove the token from the session.

This should ensure that the image can only be served once, and only from a page that you generate containing the current token.
[ July 09, 2008: Message edited by: Bear Bibeault ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic