You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Graeme Kidd <co...@hotmail.com> on 2009/04/19 05:15:15 UTC
Prevent Hot Linking
Hi,
Is there a way to configure tomcat to prevent some one from downloading a file I host when they are not within my domain?
For example I have a file hosted here:
www.mydomain.com/mypage/file.xml
That is listed on a page here:
www.mydomain.com/mypage/mypage.html
They will have no problem downloading it, but if the link to the file.xml was listed elsewhere e.g.
www.notmydomain.com/notmypage/notmypage.html
They would be denied access.
I know I can do this using .htaccess on Apache but I don't know if this is possible using WEB-INF/web.xml
Any ideas on how this can be achieved will be greatly appreciated.
Thanks
_________________________________________________________________
View your Twitter and Flickr updates from one place – Learn more!
http://clk.atdmt.com/UKM/go/137984870/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Prevent Hot Linking
Posted by Martin Gainty <mg...@hotmail.com>.
Graeme-
if I interpret the requirement correctly you need some manner of rewriting the URL?
with Tomcat you can use URLRewrite available from tuckey
http://tuckey.org/urlrewrite/
anyone?
Martin
______________________________________________
Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> From: coolkidd3@hotmail.com
> To: users@tomcat.apache.org
> Subject: Prevent Hot Linking
> Date: Sun, 19 Apr 2009 04:15:15 +0100
>
>
> Hi,
>
> Is there a way to configure tomcat to prevent some one from downloading a file I host when they are not within my domain?
>
> For example I have a file hosted here:
> www.mydomain.com/mypage/file.xml
>
> That is listed on a page here:
> www.mydomain.com/mypage/mypage.html
>
> They will have no problem downloading it, but if the link to the file.xml was listed elsewhere e.g.
> www.notmydomain.com/notmypage/notmypage.html
> They would be denied access.
>
> I know I can do this using .htaccess on Apache but I don't know if this is possible using WEB-INF/web.xml
>
> Any ideas on how this can be achieved will be greatly appreciated.
>
> Thanks
> _________________________________________________________________
> View your Twitter and Flickr updates from one place – Learn more!
> http://clk.atdmt.com/UKM/go/137984870/direct/01/
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Rediscover Hotmail®: Get e-mail storage that grows with you.
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage2_042009
Re: Prevent Hot Linking
Posted by Hassan Schroeder <ha...@gmail.com>.
On Mon, May 4, 2009 at 6:03 AM, Andre-John Mas <aj...@sympatico.ca> wrote:
> I have seen some site block images from being loaded if the referrer is not
> the site in question. I don't know if this is possible with Tomcat?
Easily done with a Filter, except that:
1) The referrer header is not required by the spec.
2) Some browser plugins block the referrer header from being sent.
3) It's easily forged.
FWIW,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent Hot Linking
Posted by Andre-John Mas <aj...@sympatico.ca>.
On 19-Apr-2009, at 12:22, Graeme Kidd wrote:
>
>
> Thanks André,
> urlrewrite seems a suficiant solution for now as I only want to
> block people if they try and acess the file from outside my domain.
> If my understanding is correct blocking by IP although harder to
> fake would prevent them no matter what.
>
> There is an example given in the urlrewrite guide on Blocked Inline-
> Images which I plan to adapt to my needs:
> http://urlrewritefilter.googlecode.com/svn/trunk/src/doc/manual/3.2/guide.html
I have seen some site block images from being loaded if the referrer
is not the site in question. I don't know if this is possible with
Tomcat?
André-John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Prevent Hot Linking
Posted by Graeme Kidd <co...@hotmail.com>.
Thanks André,
urlrewrite seems a suficiant solution for now as I only want to block people if they try and acess the file from outside my domain. If my understanding is correct blocking by IP although harder to fake would prevent them no matter what.
There is an example given in the urlrewrite guide on Blocked Inline-Images which I plan to adapt to my needs:
http://urlrewritefilter.googlecode.com/svn/trunk/src/doc/manual/3.2/guide.html
Thanks
_________________________________________________________________
Beyond Hotmail — see what else you can do with Windows Live.
http://clk.atdmt.com/UKM/go/134665375/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent Hot Linking
Posted by Hassan Schroeder <ha...@gmail.com>.
On Sun, Apr 19, 2009 at 7:37 AM, André Warnier <aw...@ice-sa.com> wrote:
> But basing the acceptance or rejection on a HTTP request header sent by the
> browser is not absolutely secure, in the sense that this can easily be faked
> using any HTTP client agent such as wget, curl, lwp-request etc..
True. But it seems relatively trivial to write a filter that would add the
originating IP of each request for the base resource, e.g. 'foo.html',
to an in-memory list.
Then requests for the targeted resource, e.g. 'bar.jpg', can be easily
checked against that list and rejected if the request IP isn't present.
FWIW,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent Hot Linking
Posted by André Warnier <aw...@ice-sa.com>.
David Smith wrote:
> I think you got it right the first time. The OP wants to make sure the
> referrer header is present and starts with http://www.mydomain.com as
> opposed to http://www.anotherdomain.com. It'll help prevent other sites
> from linking directly to resources on the OP's site.
>
Basically yes.
But basing the acceptance or rejection on a HTTP request header sent by
the browser is not absolutely secure, in the sense that this can easily
be faked using any HTTP client agent such as wget, curl, lwp-request etc..
So you are right in saying "help prevent", but it would not be correct
to say "prevent".
On the other hand, filtering requests based on the client's IP address
is relatively secure, since it is much harder (and normally
counter-productive) to fake that.
So, like always, it depends...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent Hot Linking
Posted by David Smith <dn...@cornell.edu>.
I think you got it right the first time. The OP wants to make sure
the referrer header is present and starts with http://www.mydomain.com
as opposed to http://www.anotherdomain.com. It'll help prevent other
sites from linking directly to resources on the OP's site.
-- David
On Apr 19, 2009, at 9:12 AM, André Warnier <aw...@ice-sa.com> wrote:
> André Warnier wrote:
>> Graeme Kidd wrote:
>>> Hi,
>>> Is there a way to configure tomcat to prevent some one from
>>> downloading a file I host when they are not within my domain?
>>>
>> You may want to have a look here :
>> http://tuckey.org/urlrewrite/
>> It's a bit like the Swiss Army knife for this kind of thing.
>> You would normally do this on the base of the "Referer:" HTTP
>> header, which normally contains the URL of the page from which the
>> current request is coming from.
> Upon re-reading your original post, it occurs tomme that I may have
> misunderstood your request.
> If you want to just block /all/ accesses to your server, except if
> they come from one or more specific ranges of IP addresses, then you
> could use a Remote Address Filter, like explained here :
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>
> If I am still misunderstanding, then you need to specify more
> precisely what you mean by "not within my domain".
>
> For example, you should be aware that
> - IP addresses and DNS "domains" tend to overlap, but do not
> necessarily overlap
> - filtering accesses by originating IP address is relatively
> efficient, but filtering by domain name much less so, because each
> access then requires a reverse DNS lookup, which may not even work
> in some cases
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent Hot Linking
Posted by André Warnier <aw...@ice-sa.com>.
André Warnier wrote:
> Graeme Kidd wrote:
>> Hi,
>>
>> Is there a way to configure tomcat to prevent some one from
>> downloading a file I host when they are not within my domain?
>>
> You may want to have a look here :
> http://tuckey.org/urlrewrite/
> It's a bit like the Swiss Army knife for this kind of thing.
> You would normally do this on the base of the "Referer:" HTTP header,
> which normally contains the URL of the page from which the current
> request is coming from.
>
Upon re-reading your original post, it occurs tomme that I may have
misunderstood your request.
If you want to just block /all/ accesses to your server, except if they
come from one or more specific ranges of IP addresses, then you could
use a Remote Address Filter, like explained here :
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
If I am still misunderstanding, then you need to specify more precisely
what you mean by "not within my domain".
For example, you should be aware that
- IP addresses and DNS "domains" tend to overlap, but do not necessarily
overlap
- filtering accesses by originating IP address is relatively efficient,
but filtering by domain name much less so, because each access then
requires a reverse DNS lookup, which may not even work in some cases
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent Hot Linking
Posted by André Warnier <aw...@ice-sa.com>.
Graeme Kidd wrote:
> Hi,
>
> Is there a way to configure tomcat to prevent some one from downloading a file I host when they are not within my domain?
>
You may want to have a look here :
http://tuckey.org/urlrewrite/
It's a bit like the Swiss Army knife for this kind of thing.
You would normally do this on the base of the "Referer:" HTTP header,
which normally contains the URL of the page from which the current
request is coming from.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org