You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Shapira, Yoav" <Yo...@mpi.com> on 2004/06/17 16:53:10 UTC

RE: Safety of images under the WEB-INF?

Hi,
No, they can't be viewed directly: the servlet container is prohibited
from serving content under WEB-INF directories by the Servlet
Specification.  This is strictly implemented by all servlet container I
know of, and is easy to test in your installation by trying to access
the image under WEB-INF.

Yoav Shapira
Millennium Research Informatics


>-----Original Message-----
>From: James Sherwood [mailto:jsherwood@romulin.com]
>Sent: Thursday, June 17, 2004 11:02 AM
>To: Tomcat Users List; h.henkel@gs-automation.de
>Subject: Safety of images under the WEB-INF?
>
>Hello,
>    I am doing a project where I dont want people to be able to link
>directly to certian images/files unless they are logged in through my
>security framework.
>
>    The question is, if I put an images directory under the WEB-INF and
>serve the images up through a service, how safe are these images? Can
they
>be retreived without going through my service(which i can check if they
>have
>access or not) and if so, how?
>
>Thank you,
>James
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged.  This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Safety of images under the WEB-INF?

Posted by Elijah Epifanov <sm...@sulamita.ru>.
However, if you run Tomcat behind Apache, you should ensure that
none of your WEB-INF folders will be served by Apache.


----- Original Message ----- 
From: "Shapira, Yoav" <Yo...@mpi.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, June 17, 2004 6:53 PM
Subject: RE: Safety of images under the WEB-INF?



Hi,
No, they can't be viewed directly: the servlet container is prohibited
from serving content under WEB-INF directories by the Servlet
Specification.  This is strictly implemented by all servlet container I
know of, and is easy to test in your installation by trying to access
the image under WEB-INF.

Yoav Shapira
Millennium Research Informatics


>-----Original Message-----
>From: James Sherwood [mailto:jsherwood@romulin.com]
>Sent: Thursday, June 17, 2004 11:02 AM
>To: Tomcat Users List; h.henkel@gs-automation.de
>Subject: Safety of images under the WEB-INF?
>
>Hello,
>    I am doing a project where I dont want people to be able to link
>directly to certian images/files unless they are logged in through my
>security framework.
>
>    The question is, if I put an images directory under the WEB-INF and
>serve the images up through a service, how safe are these images? Can
they
>be retreived without going through my service(which i can check if they
>have
>access or not) and if so, how?
>
>Thank you,
>James
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential, proprietary
and/or privileged.  This e-mail is intended only for the individual(s) to
whom it is addressed, and may not be saved, copied, printed, disclosed or
used by anyone else.  If you are not the(an) intended recipient, please
immediately delete this e-mail from your computer system and notify the
sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org