You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Angelo Chen <an...@yahoo.com.hk> on 2010/03/09 00:22:59 UTC
Secured photo rendering
Hi,
As I notice, the photo rendering usually uses file system/Apache to speed up
displaying, a url point at a photo URL, the photo is still available even
when the page is finished. Is there a way to show the photo only thru the
page? somehow secure the photo? Thanks,
Angelo
--
View this message in context: http://old.nabble.com/Secured-photo-rendering-tp27829228p27829228.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Secured photo rendering
Posted by Joseph Morgan <jo...@ignitesales.com>.
Joseph Morgan wrote:
> I think the OP is asking how to prevent an image from being cached by
a client.... and, I cannot imagine there is a way if the image > is to
display in a client at all, the image is now there, and the client can
do anything it wants...
>
>>But it should not, if the server sends the image with the appropriate
>>"no caching" and/or "expires" HTTP headers.
Assuming a well behaved client...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by André Warnier <aw...@ice-sa.com>.
David kerber wrote:
> Caldarale, Charles R wrote:
>>> From: André Warnier [mailto:aw@ice-sa.com]
>>> Subject: Re: Secured photo rendering
>>>
>>> But it should not, if the server sends the image with the appropriate
>>> "no caching" and/or "expires" HTTP headers.
>>
>> The headers don't matter, since the client has the image in hand.
>> Browsers, for example, allow a right-click to save the image,
>> regardless of the caching state.
>
> I've seen javascript used to prevent right-clicking to save the image,
> but nothing can prevent them from taking a screen shot.
>
>
>>
>>> Now how one would set such headers easily in Tomcat for static
>>> documents, that I don't know.
>>
>> Filters - but it won't help.
>>
Ok guys, I may have misunderstood the issue.
I agree that nothing will help, to stop a client doing anything it wants
with anything that your server has already sent to it.
That's a basic truth for anything www-wise (which hasn't stopped people
spending fortunes to try and prove the opposite).
But I (mis?-)understood the issue as being that the OP wanted to force
browsers to reload some images from the server each time, and not use a
(possibly stale) cached copy.
In that case, the HTTP headers should help.
Of course, only with well-behaved browsers.
But hey, even IE is getting better with time.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by André Warnier <aw...@ice-sa.com>.
Peter Crowther wrote:
> On 10 March 2010 15:30, János Löbb <ja...@yale.edu> wrote:
>
>> When I use the DVD Player from Apple, I cannot take a screenshot even if I
>> click myself to the Finder first. So there is something already in practice
>> that prevents from taking a screenshot :-)
>>
>> Yes - for an application that runs as a process on a particular operating
> system, and generates the images within that application. Even then, I
> suspect there are ways of scraping the pixels from the video card's frame
> buffer.
Like using a camera to make a picture ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
...
>
> Just for the sake of mental mast... er, fun! you could write a
> javascript event handler that watched for un-focus events for the page
> (which would likely happen if you were using an external utility to take
> a screenshot)
Actually it doesn't. On my PC, I use IrfanView as a kind of swiss army
knife for many picture-like things. It has several options for taking a
screenshot, and the one I usually use is "hit F11 to make a screenshot
of the Window which currently has the focus". It then reduces itself to
a icon on the menu bar, and you select the Window of which you want the
screenshot (which gives it focus), and hit F11 (with takes the screenshot).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hassan,
On 3/10/2010 10:50 AM, Hassan Schroeder wrote:
> On Wed, Mar 10, 2010 at 7:46 AM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>
>> Just for the sake of mental mast... er, fun! you could write a
>> javascript event handler that ...
>
> ..would work until the user switched off JavaScript? or kicked off `wget`
> with the image URL? :-)
Well, I did suggest checking the REFERER (easily forged) and I said
this, too:
> All technological tricks are bound to take you a lot of time and not
> cover all possibilities, so just forget it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuXxgYACgkQ9CaO5/Lv0PB1DwCgoLyMhgtL4ynEcdhP6tSxOrt5
OyAAn3DWm8BBzOblHVremeyBuKUpAp2i
=DR4U
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Secured photo rendering
Posted by Joseph Morgan <jo...@ignitesales.com>.
On Wed, Mar 10, 2010 at 7:46 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
>> Just for the sake of mental mast... er, fun! you could write a
>> javascript event handler that ...
>..would work until the user switched off JavaScript? or kicked off
`wget`
>with the image URL? :-)
... or someone is using screen recording software such as Camtasia or
other similar software.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by Hassan Schroeder <ha...@gmail.com>.
On Wed, Mar 10, 2010 at 7:46 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> Just for the sake of mental mast... er, fun! you could write a
> javascript event handler that ...
..would work until the user switched off JavaScript? or kicked off `wget`
with the image URL? :-)
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter,
On 3/10/2010 10:37 AM, Peter Crowther wrote:
> On 10 March 2010 15:30, János Löbb <ja...@yale.edu> wrote:
>
>> When I use the DVD Player from Apple, I cannot take a screenshot even if I
>> click myself to the Finder first. So there is something already in practice
>> that prevents from taking a screenshot :-)
>>
>> Yes - for an application that runs as a process on a particular operating
> system, and generates the images within that application. Even then, I
> suspect there are ways of scraping the pixels from the video card's frame
> buffer.
I think the OP is trying to prevent casual "stealing" of the images, or
just borrowing them for another site.
Just for the sake of mental mast... er, fun! you could write a
javascript event handler that watched for un-focus events for the page
(which would likely happen if you were using an external utility to take
a screenshot) and/or key events for all environments you can think of,
and put a big, fat, black rectangle over the images.
> However, showing an image from a web server in a web browser does not give
> you operating system protection.
Yup, and my technique above only works with pages that /you/ control, so
if someone links to your images from elsewhere, your images are again
stealable.
My advice to the OP (which hasn't bothered to comment since the original
question, which is kinda irritating) is:
1. Watermark your images
2. Claim copyright on your images
3. Advertise your acceptable use policy for your images
4. Sue anyone who misuses them
All technological tricks are bound to take you a lot of time and not
cover all possibilities, so just forget it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuXvs4ACgkQ9CaO5/Lv0PCOZQCgwd3JQYu8YSIxHqUyzG1NJY9K
A7wAoL5QVHomZHCYUTOK2HYK6f5EO13D
=jUYx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by Peter Crowther <pe...@melandra.com>.
On 10 March 2010 15:30, János Löbb <ja...@yale.edu> wrote:
> When I use the DVD Player from Apple, I cannot take a screenshot even if I
> click myself to the Finder first. So there is something already in practice
> that prevents from taking a screenshot :-)
>
> Yes - for an application that runs as a process on a particular operating
system, and generates the images within that application. Even then, I
suspect there are ways of scraping the pixels from the video card's frame
buffer.
However, showing an image from a web server in a web browser does not give
you operating system protection.
- Peter
Re: Secured photo rendering
Posted by János Löbb <ja...@yale.edu>.
On Mar 9, 2010, at 9:35 AM, David kerber wrote:
> Caldarale, Charles R wrote:
>>> From: André Warnier [mailto:aw@ice-sa.com]
>>> Subject: Re: Secured photo rendering
>>>
>>> But it should not, if the server sends the image with the
>>> appropriate
>>> "no caching" and/or "expires" HTTP headers.
>> The headers don't matter, since the client has the image in hand.
>> Browsers, for example, allow a right-click to save the image,
>> regardless of the caching state.
>
> I've seen javascript used to prevent right-clicking to save the
> image, but nothing can prevent them from taking a screen shot.
>
>
When I use the DVD Player from Apple, I cannot take a screenshot even
if I click myself to the Finder first. So there is something already
in practice that prevents from taking a screenshot :-)
>>> Now how one would set such headers easily in Tomcat for static
>>> documents, that I don't know.
>> Filters - but it won't help.
>> - Chuck
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Secured photo rendering
Posted by Joseph Morgan <jo...@ignitesales.com>.
Everyone is right... but... I think the OP has to better describe the need at hand.
-----Original Message-----
From: David kerber [mailto:dckerber@verizon.net]
Sent: Tuesday, March 09, 2010 8:35 AM
To: Tomcat Users List
Subject: Re: Secured photo rendering
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Secured photo rendering
>>
>> But it should not, if the server sends the image with the appropriate
>> "no caching" and/or "expires" HTTP headers.
>
> The headers don't matter, since the client has the image in hand. Browsers, for example, allow a right-click to save the image, regardless of the caching state.
I've seen javascript used to prevent right-clicking to save the image,
but nothing can prevent them from taking a screen shot.
>
>> Now how one would set such headers easily in Tomcat for static
>> documents, that I don't know.
>
> Filters - but it won't help.
>
> - Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by David kerber <dc...@verizon.net>.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Secured photo rendering
>>
>> But it should not, if the server sends the image with the appropriate
>> "no caching" and/or "expires" HTTP headers.
>
> The headers don't matter, since the client has the image in hand. Browsers, for example, allow a right-click to save the image, regardless of the caching state.
I've seen javascript used to prevent right-clicking to save the image,
but nothing can prevent them from taking a screen shot.
>
>> Now how one would set such headers easily in Tomcat for static
>> documents, that I don't know.
>
> Filters - but it won't help.
>
> - Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Secured photo rendering
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Secured photo rendering
>
> But it should not, if the server sends the image with the appropriate
> "no caching" and/or "expires" HTTP headers.
The headers don't matter, since the client has the image in hand. Browsers, for example, allow a right-click to save the image, regardless of the caching state.
> Now how one would set such headers easily in Tomcat for static
> documents, that I don't know.
Filters - but it won't help.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secured photo rendering
Posted by André Warnier <aw...@ice-sa.com>.
Joseph Morgan wrote:
> I think the OP is asking how to prevent an image from being cached by a client.... and, I cannot imagine there is a way if the image is to display in a client at all, the image is now there, and the client can do anything it wants...
>
But it should not, if the server sends the image with the appropriate
"no caching" and/or "expires" HTTP headers.
Now how one would set such headers easily in Tomcat for static
documents, that I don't know.
But I am sure someone on this list does know.
If that is indeed the issue..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Secured photo rendering
Posted by Joseph Morgan <jo...@ignitesales.com>.
I think the OP is asking how to prevent an image from being cached by a client.... and, I cannot imagine there is a way if the image is to display in a client at all, the image is now there, and the client can do anything it wants...
Angelo... am I correct? You want to prevent the image from being cached, right?
-----Original Message-----
From: Martin Gainty [mailto:mgainty@hotmail.com]
Sent: Monday, March 08, 2010 9:11 PM
To: Tomcat Users List
Subject: RE: Secured photo rendering
the easiest implementation would be
develop a security fence for your front end (https with secure connnector)
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
once the request is 'inside' the servlet (or listener or filter) you can reference 'local' folders which contain the necessary jpgs
in this scenario all the jpgs in the folder would be behind a firewall
there are more primitive means of securing (such as implementing .htaccess)
although you'll want to weigh the performance degradation if you decide to go this route
http://httpd.apache.org/docs/1.3/howto/htaccess.html
hth
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Mon, 8 Mar 2010 15:22:59 -0800
> From: angelochen960@yahoo.com.hk
> To: users@tomcat.apache.org
> Subject: Secured photo rendering
>
>
> Hi,
>
> As I notice, the photo rendering usually uses file system/Apache to speed up
> displaying, a url point at a photo URL, the photo is still available even
> when the page is finished. Is there a way to show the photo only thru the
> page? somehow secure the photo? Thanks,
>
> Angelo
> --
> View this message in context: http://old.nabble.com/Secured-photo-rendering-tp27829228p27829228.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/201469229/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Secured photo rendering
Posted by Martin Gainty <mg...@hotmail.com>.
the easiest implementation would be
develop a security fence for your front end (https with secure connnector)
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
once the request is 'inside' the servlet (or listener or filter) you can reference 'local' folders which contain the necessary jpgs
in this scenario all the jpgs in the folder would be behind a firewall
there are more primitive means of securing (such as implementing .htaccess)
although you'll want to weigh the performance degradation if you decide to go this route
http://httpd.apache.org/docs/1.3/howto/htaccess.html
hth
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Mon, 8 Mar 2010 15:22:59 -0800
> From: angelochen960@yahoo.com.hk
> To: users@tomcat.apache.org
> Subject: Secured photo rendering
>
>
> Hi,
>
> As I notice, the photo rendering usually uses file system/Apache to speed up
> displaying, a url point at a photo URL, the photo is still available even
> when the page is finished. Is there a way to show the photo only thru the
> page? somehow secure the photo? Thanks,
>
> Angelo
> --
> View this message in context: http://old.nabble.com/Secured-photo-rendering-tp27829228p27829228.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/201469229/direct/01/
Re: [OT] Secured photo rendering
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Angelo,
On 3/8/2010 6:22 PM, Angelo Chen wrote:
> As I notice, the photo rendering usually uses file system/Apache to speed up
> displaying
Where did you notice this? I can't imagine that Apache [httpd] improves
the performance of rendering an image.
> a url point at a photo URL, the photo is still available even
> when the page is finished. Is there a way to show the photo only thru the
> page? somehow secure the photo? Thanks,
Are you talking about only allowing images to be displayed within a page
from your own site? The only cheap solution is to check the "Referer"
header from the request to see if the page loading the image is "on your
site" whatever that means to you.
You could also check to make sure that the user is logged-in (if you
require logins) in order to request a page. This won't stop images from
being loaded by other sites in the case where the user really is
logged-in, but it should stop people from accessing images at random.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuViIwACgkQ9CaO5/Lv0PAtvgCfWRBGu5tMXywwK9sQR3dntaie
ejwAnRBD3Bom30c+if1jWzi3occuvxU8
=MAmX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org