This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes JSP and the fly likes Hiding URL from source Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Hiding URL from source" Watch "Hiding URL from source" New topic
Author

Hiding URL from source

Thomas Greene
Ranch Hand

Joined: Aug 09, 2004
Posts: 125
In my JSP page, I have the following

<a href='http://63.125.154.169:8080/private/Stream?uid=c0a8cc1173957eac2-7f22&quality=IM'><img src='../images/listen.gif' /></a>

When the user clicks on the link, the relevant file is opened. But the problem is that user can see the actual path in source as well as status bar. Since this is paid content we want to avoid it. Please let me know how this can be done.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

If it's paid content, merely hiding the URL would be insufficient.

You should put the content in a directory that can't be seen directly from the
web. Then, write a servlet that streams the content to the browser after checking for a valid login. We have an example app in our CodeBarn that streams images from under the WEB-INF directory (which is not directly accessible from the web). Look for SimpleStream
All you'd need to do is add the security check.

Alternatively, you could write a filter that checks for a valid login before allowing access to anything, static or dynamic. This way you won't have to care if people know the URL because, without a valid login, they won't be able to get to the content anyway.

On my own site, I have an application with a filter that does this.
http://simple.souther.us/not-so-simple.html
Look for SessionMonitor.
The point of the app is to show how to track users but it has a filter that forwards the user to the login screen if they try to hit anything in the app without being logged in (including images, or static HTML pages.)


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Kishore Dandu
Ranch Hand

Joined: Jul 10, 2001
Posts: 1934
Along the lines of above, is there a way to render the image but hide the location even if the image file is not under the WEB-INF directory?


Kishore
SCJP, blog
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Trying to hide URLs and images sounds suspicious to me.

As mentioned, the application should be designed with the proper security to prevent unauthorized access. Aside, hiding URLs does not qualify as "proper" security.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60822
    
  65

http://www.coderanch.com/t/293833/JSP/java/Restrict-Users-Accessing-Folders-Under


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Kishore Dandu
Ranch Hand

Joined: Jul 10, 2001
Posts: 1934
Originally posted by James Clark:
Trying to hide URLs and images sounds suspicious to me.

As mentioned, the application should be designed with the proper security to prevent unauthorized access. Aside, hiding URLs does not qualify as "proper" security.


Why not?
Example: Requirement is to render the image for user reference; but not allow direct access to the image through a URL(like signature for a credit card transaction)

[ July 08, 2008: Message edited by: Kishore Dandu ]
[ July 08, 2008: Message edited by: Kishore Dandu ]
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

You can do things like requiring authorization, as already suggested. You can check things like the referer (the page which sent the request) or the user agent (the name of the browser which sent the request) as well, but both of those things can be forged by a program. The bottom line is, you can't tell whether a request came from a browser or from a well-written program pretending to be a browser. You can just catch the not-so-well-written programs.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

Oh yeah. There are also Javascript tricks like having the link open in a new window with no address bar (so the address isn't visible). But again, that just hides the URL from the casual violator. The determined violator can find it easily by using (for example) the Live HTTP Headers plugin in Firefox to examine the headers of all the requests sent. Or by right-clicking the link and making it open in a tab instead of a window... there are plenty of ways to defeat that.
Kishore Dandu
Ranch Hand

Joined: Jul 10, 2001
Posts: 1934
can i use a filter mechanism??

I can pre-define like www.123.com/... not to render in case not coming from www.123.com/xyz.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60822
    
  65

You can try. But knowing where it's coming from is not 100% guaranteed. You'll only be keeping out the people who don't want the material badly. Anyone who really wants it can probably spoof the system.

What are you really trying to accomplish?
Kishore Dandu
Ranch Hand

Joined: Jul 10, 2001
Posts: 1934
Originally posted by Bear Bibeault:
You can try. But knowing where it's coming from is not 100% guaranteed. You'll only be keeping out the people who don't want the material badly. Anyone who really wants it can probably spoof the system.

What are you really trying to accomplish?


The requirement is to allow rendering image abc.png in a jsp file. But, if the user tries to render the same png by itself, we should stop them from doing that. The png url will be like www.abc.com/cgi-bin/1234.png
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60822
    
  65

But why?
Kishore Dandu
Ranch Hand

Joined: Jul 10, 2001
Posts: 1934
Originally posted by Bear Bibeault:
But why?


Let me rephrase a bit. It is a signature image. It is actually rendered by invoking xyz.com/cgi-bin/param123. It is placed in a JSP for user to see. But we do not want user to remember this url and look at the signature later, by rendering itself.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
http://chart.apis.google.com/chart?cht=p3&chd=t:10.0,58.0,95.0,30.0,8.0,63.0&chs=450x200&chl=Hello|World|New

The Google service above creates the image at runtime. Pretty fancy stuff, I think. There is no "image file" to hide. No "Source" to look at.
[ July 09, 2008: Message edited by: James Clark ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60822
    
  65

But even with images created on-the-fly, the image can be copied from the browser easily. Is this a concern? Or are you just concerned with later hits to the URL?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

I'm wondering what "later" means. Is there some time cutoff after which the user shouldn't be able to see the image any more? Or should they only be shown it once? Or should they only be shown it in some context?
Kishore Dandu
Ranch Hand

Joined: Jul 10, 2001
Posts: 1934
Originally posted by Bear Bibeault:
But even with images created on-the-fly, the image can be copied from the browser easily. Is this a concern? Or are you just concerned with later hits to the URL?


Concerns are with the later hits to the url of the image.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60822
    
  65

OK, if all you are concerned with is making it so that you can only visit the URL once, maybe this would work for you:

1) In the page controller for the page in which the image will appear, generate a random token (could be anything random)
2) Place this token in the session.
3) When generating the URL for the <img> tag that references the servlet that will serve up the image data, add the token as a request parameter.
4) When the image-serving servlet is called, check that the parameter exists and matches the one in the session. Only serve the image if it matches.
5) Remove the token from the session.

This should ensure that the image can only be served once, and only from a page that you generate containing the current token.
[ July 09, 2008: Message edited by: Bear Bibeault ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Hiding URL from source
 
Similar Threads
file reading in applet
i am getting this exception
Tomcat Connection Pooling Help required
Getting the exception
Tomcat 6 + jdbc + Oracle