aspose file tools*
The moose likes JSP and the fly likes How to restrict access to image folders Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "How to restrict access to image folders" Watch "How to restrict access to image folders" New topic
Author

How to restrict access to image folders

nick sharma
Greenhorn

Joined: May 05, 2008
Posts: 28
Hi
I have developed an application using JSP's and have deployed it on apache tomcat 5.5.24.My application uses images which are stored in a folder named images,the hierarchy is as follows context>dept>branch>images>
The problem i face is that i am able to access the images directly by typing the url in the browser.can anyone please tell me how to restrict access to this folder by others??
[ June 03, 2008: Message edited by: Bear Bibeault ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

This is not Tomcat-specific, so I'm moving it to the Servlets forum.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

You can't. The images must be browser-addressable so that the browser can fetch them for display.

What are you really trying to accomplish? If you are trying to keep people from downloading the images, just give that up. It's not possible.
nick sharma
Greenhorn

Joined: May 05, 2008
Posts: 28
I thought the settings are in tomcat server itself.can you please help me with the solution.i dont want to use servlets for my solution.have to use JSP only.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

What solution? As I said, if the images aren't addressable by URL, they cannot be shown in the browser.
nick sharma
Greenhorn

Joined: May 05, 2008
Posts: 28
ok is there any way of securing the images.i dont want people to download images,is there a way of encrypting the location of the images??there must be something which would prevent people from downloading images off the server??
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

Originally posted by nick sharma:
have to use JSP only.

You're kidding.

Regardless, there is no solution, but I'll move this to the JSP forum in any case.
[ June 03, 2008: Message edited by: Bear Bibeault ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

Originally posted by nick sharma:
there must be something which would prevent people from downloading images off the server

There is not.

At least not if you want the images to be shown on the browser.

If you are trying to protect proprietary works, the solution is usually to watermark the images so that down-loading them is not useful.

What's the scenario you are trying to protect?
nick sharma
Greenhorn

Joined: May 05, 2008
Posts: 28
thanks for bearing with me,the thing is that my application will be used by college students and authorities.there might be a few students who would figure out how to get hold of the staff and other student images off the server and misuse them.i am just trying avoid any unwanted scenarios.so will there be anythin i can do to protect the images??
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

Are these images visible on pages that can be seen by the people you are afraid will misuse them? Do you have any sort of login authentication that can be used to determine who can see what?

Again, if its visible on a page it's already been downloaded!
[ June 03, 2008: Message edited by: Bear Bibeault ]
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

As Bear mentioned, nobody can see the images if they can't be downloaded to the client.

If you want to restrict access to particular users, You could store them under WEB-INF and the stream them to those users who are allowed to see them.
You won't be able to stream them using JSP so you might need to get an exception made to JSP Only rule for this one case.

The good news is that we have a demo application that does just this in our CodeBarn

Check out:
http://faq.javaranch.com/java/CodeBarnSimpleStream
[ June 03, 2008: Message edited by: Ben Souther ]

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

P.S. You can turn off directory listings so that it's harder for them to find out what's there. But if they have a URL (such as cutting out of the HRML source), they can get to the image unless there's an authentication scenario present.
nick sharma
Greenhorn

Joined: May 05, 2008
Posts: 28
yes i use a login authentication for everybody,only people who have logged in can see their images on their homepage,but the images folder is open right so anyone who can add 2+2 can actually type the url to the images folder and download images from there.cant put a login on that can i??
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

Originally posted by Ben Souther:
If you want to restrict access to particular users ...

That's exactly why I asked about authentication. If you know who is who, you can set up a scheme to restrict access. But if you don't, then this is a much harder problem.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61654
    
  67

OK, then. Since you have authentication, you can hide the folder, as Ben suggested, behind WEB-INF and access the images through a servlet that checks the authentication. You'll need to figure out a way to identify which images can be seem by which users.

And, you will not be able to use just JSP. In this day and age, why on earth are you not using proper Model 2 web app structure with both servlets and JSP?

P.S. In future posts, please be sure to mention important information such as the user authentication up-front.
[ June 03, 2008: Message edited by: Bear Bibeault ]
nick sharma
Greenhorn

Joined: May 05, 2008
Posts: 28
but the login authentication will only make sure that the information for a particular student(in my case) is visble only to him/her but when you talk of the images folder i can type something like http://172.168.154.200:8080/college/images/1234567890.jpeg and wihout even logging in can download the images.
my directory listing is off so no problems on that side,but a student can see the html file and can easily map where other images will be stored right.
every student has a university roll number assigned using which i display their images on their homepage's but any student can type a random roll number and get the image of a particular student which is not acceptable.
I thank you for bearing with me on this problem,i am just trying to make the system perfect.
nick sharma
Greenhorn

Joined: May 05, 2008
Posts: 28
thank you for your suggestions ben and bear i will definately put proper references like authentication in my future posts.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by nick sharma:
but the login authentication will only make sure that the information for a particular student(in my case) is visble only to him/her but when you talk of the images folder i can type something like http://172.168.154.200:8080/college/images/1234567890.jpeg and wihout even logging in can download the images.
my directory listing is off so no problems on that side,but a student can see the html file and can easily map where other images will be stored right.
every student has a university roll number assigned using which i display their images on their homepage's but any student can type a random roll number and get the image of a particular student which is not acceptable.
I thank you for bearing with me on this problem,i am just trying to make the system perfect.



My first suggestion (streaming the image from behind WEB-INF) would prevent someone from getting the image without the proper credentials (even if they know the exact URL).

You could also write a filter with a mapping that matches the directory structure for your restricted-images folder that checks credentials for each request and sends back a 40x response if the user isn't allowed to view a particular file.

Both solutions would require that you write some non-JSP code but requiring a server side Java app to be written purely with JSP means missing out on most of the best features of this technology.
Praful Thakare
Ranch Hand

Joined: Feb 10, 2001
Posts: 641
every student has a university roll number assigned using which i display their images on their homepage's but any student can type a random roll number and get the image of a particular student which is not acceptable

why to save or show the image with pain roll number you can always save image with encrypted version of roll number so that one has to hack the algorithm to pass in request.

ex say for rollnumber 007 you have image 007.gif called as http://some.domain/app/images/007.gif save this image as SDFE@#$%^12345.gif (some encryption) now i don't think students from your collage will be so pro to find the key for roll number 100.

-P


All desirable things in life are either illegal, banned, expensive or married to someone else !!!
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to restrict access to image folders