This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hello, I have a application where users upload images to the server. I am using Tomcat 4.1.27. The folder structure is as below : webapp |__application |__images |___data |___temp Images uploaded by user are temporarily stored under webapps/application/iamges/temp folder. After processing the image, its preview is displayed to the user and once he submits the page, the image is copied with a different name to the data folder. When the image preview is displayed, it is displayed using line <IMG src="/application/images/temp/tempimagename.jpg" > Now my problem is, I don't want the user to access any file under temp or data folder. If the user types such a url in the browser, he shouldn't be allowed to view the file. http://url ort/application/images/temp/tempimagename.jpg or http://url ort/application/images/data/imagename.jpg At the same time, I have a functionality for the admin, where he will be displayed with the image as <IMG src="/application/images/data/imagename.jpg" > Is it possible to restrict the user? How can I block any direct access to the file. Please help me ASAP. Thanks in advance Hemant.
You want images uploaded from users to be available to the admin, but not other users? Placing them in the web-inf won't work, tha admin won't ba able to see them. One option is to load them into a directory on the webroot that has some sort of protection (BASIC authentication is the easiest). If you already have some security built-in you could also save the images off the webroot and serve them using a custom Servlet which checks user priveledges.This is similar to the first, but is a little cleaner if you already have security enabled. Dave
Just in case anyone reads the above two messages and gets confused, remember that in most situations the name of the directory/folder WEB-INF is case sensitive. Please always use "WEB-INF", which is guaranteed to work, rather than "web-inf" which will only work in some cases. Thanks.