You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Carl Dreher <fo...@arn.net> on 2015/03/09 17:04:07 UTC
restricting access to images
I need to restrict access to a website's images, to people that have
logged on, have authorization etc. I've searched though the Tomcat
user's mailing list archives and didn't find a discussion that addressed
this, so I thought I'd asked for some architectural guidance.
My initial thought is to have the src parameter in an html <img
src="url" /> point to a servlet instead of a static image in the web
app. The servlet would check the session and verify that the requester
is logged-in and then return the appropriate image. Seems straight
forward. Is there a better way? I read some threads about Tomcat
filters but that seems like overkill.
A related question is more fundamental: If I write a servlet such as
the above, is there ever only once instance of it running? In other
words, if I have 10 users hitting the site at once, does Tomcat create
an instance of the servlet for each user so they all operate in
parallel, or does queue-up the requests and send them to a single instance?
By the way, if anyone here is administering this mailing list, I'd like
to offer a suggestion: In multiple places, the FAQs about using this
list have comments such as "...be sure to check the archives before
asking a question..." but don't have any links (or instructions) on HOW
to do that! I had to resort to Google to find the archive, and then it
took more time to find the *searchable* archive, which is entirely
different. . A simple link to
"http://www.mail-archive.com/users@tomcat.apache.org/maillist.html" on
those FAQ pages, as well as to the bottom of this list, would be very,
very helpful.
- Carl Dreher
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: restricting access to images
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Carl Dreher [mailto:focusrsh@arn.net]
> Subject: restricting access to images
> I need to restrict access to a website's images, to people that have
> logged on, have authorization etc. I've searched though the Tomcat
> user's mailing list archives and didn't find a discussion that addressed
> this, so I thought I'd asked for some architectural guidance.
A prerequisite for doing anything with Tomcat is to read the servlet spec for the version you're using (which you didn't tell us). You will find a section in there on security, documenting the means to control access to resources.
> If I write a servlet such as the above, is there ever only once instance
> of it running?
Don't confuse objects with threads. There is one instance of a particular servlet, but many threads may be executing in it concurrently, with each thread processing a separate request.
> I'd like to offer a suggestion: In multiple places, the FAQs about using
> this list have comments such as "...be sure to check the archives before
> asking a question..." but don't have any links (or instructions) on HOW
> to do that!
There's no point in repeating something in a myriad of places that you must have already read in order to sign up for the mailing list. As clearly stated on the mailing lists page (http://tomcat.apache.org/lists.html):
"Formatted archives are available in several places including the Apache Mail Archives, MARC, Nabble, and MarkMail. The raw mbox files are also available."
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: restricting access to images
Posted by Neven Cvetkovic <ne...@gmail.com>.
Carl,
Chris and Chuck have already provided great insights. Below are few
thoughts to consider.
On 3/9/15 12:04 PM, Carl Dreher wrote:
> > I need to restrict access to a website's images, to people that
> > have logged on, have authorization etc. I've searched though the
> > Tomcat user's mailing list archives and didn't find a discussion
> > that addressed this, so I thought I'd asked for some architectural
> > guidance.
> >
>
Are these images static, i.e. built-in into the application, or they are
dynamic (provided by the admins/users of your application)?
> > My initial thought is to have the src parameter in an html <img
> > src="url" /> point to a servlet instead of a static image in the
> > web app. The servlet would check the session and verify that the
> > requester is logged-in and then return the appropriate image.
> > Seems straight forward. Is there a better way? I read some
> > threads about Tomcat filters but that seems like overkill.
>
> Writing a new servlet to do this is quite a bit of overkill: the
> DefaultServlet will do this better than you can. See Chuck's message
> for a hint on how to protect resources within your web application.
>
> - -chris
>
As Chris pointed out, writing your own Servlet to serve static images is
probably an overkill if your images are packaged with the application.
However, if your images are dynamic, e.g. provided by the users(admins) of
your application and stored in the database, then you might be a good idea
to write a custom ImageServlet that serves images from the database.
We don't know enough about your use case to suggest one or the other.
Chuck has pointed you to the Servlet API to read upon security. Definitely,
you need to understand how your application handles security. So, what's
the best for your particular application - it really depends on how you are
implementing web security in your app. Did you implement your own security
layer? Are you using a third-party product for web security?
The easiest way to achieve this image filtering would be to write a servlet
filter that you can apply to incoming image URLs, check if the user's data
is in HTTP session, and then proceed with original request or send some
other data back (for non-authenticated requests).
Here's an illustration:
@WebFilter("/images/*")
public class SecurityImageFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession(false);
if ( session != null && session.getAttribute("USER") != null ) {
chain.doFilter(request, response);
return;
}
try
(OutputStream out = response.getOutputStream())
{
String path = request.getServletContext().getRealPath(File.separator);
File file = new File(path + "images/not_available.png");
BufferedImage bufferedImage = ImageIO.read(file);
ImageIO.write(bufferedImage, "png", out);
} catch (IOException ioe) {
ioe.printStackTrace();
}
}
}
And then in your HTML you just refer with <img src="...." />, e.g.
<html>
<h1>MyApp::home</h1>
<img src="images/tomcat.png" />
</html>
So, the filter would intercept the call to all "images/*" and replace
response based if USER data was found in session or not ...
Great thing about filters is that you can easily customize how they are
applied and to what URLs. Many applications handle security using a
security filter that inspects the session data, and redirects to login if
the user is not logged in.
Hope that helps!
Cheers!
Neven
Re: restricting access to images
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Carl,
On 3/9/15 12:04 PM, Carl Dreher wrote:
> I need to restrict access to a website's images, to people that
> have logged on, have authorization etc. I've searched though the
> Tomcat user's mailing list archives and didn't find a discussion
> that addressed this, so I thought I'd asked for some architectural
> guidance.
>
> My initial thought is to have the src parameter in an html <img
> src="url" /> point to a servlet instead of a static image in the
> web app. The servlet would check the session and verify that the
> requester is logged-in and then return the appropriate image.
> Seems straight forward. Is there a better way? I read some
> threads about Tomcat filters but that seems like overkill.
Writing a new servlet to do this is quite a bit of overkill: the
DefaultServlet will do this better than you can. See Chuck's message
for a hint on how to protect resources within your web application.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU/eLOAAoJEBzwKT+lPKRYd7YP/iw8oo8QJSPzv47LuW6j25v2
95thD+XAc+FtZTthOWgcbBtPneKkCLxNaw+SMWKuDAKP9Aj2zLH8Bf3dTJIHnbEf
D+saSH2U9kGuojEhIVAXLWz/REj84t7FJEzdyrZM0MQcDjxcwGeD5Ypm9zHIXFKD
C9HBzf+QVRbaT8YgH1T7WFbDfrRF53cM6u8+oQ9cZlrI7wuYhXxdfpo00tMxaKvm
I6uYfba0qJWtVl9IGPxmZUlsiT+R2xfQr9GPQrvhSV4QAGilEgd07aAOqkGLVrfm
fMCGOyed7LHcuKIXM6nmUMuEU2PHqNHguAyBz8uLho7Q33sk5hrTXplKo6wpbC3A
oUgbV3PrdRWgNs43poL5TsPvEJl2LNjxm1PoTt7MSCnW26mQORdBfgAnpLlIFOd0
JTXgew/ZnOq6mrnRCveCQe1egA/4rVJww2yRetr5/GUwBNpO+Kt8rDvhZZaojPSz
i9e2B5iNJMBVUjduAJ8I6vUb755wW3xyrZxfhzmYPgTYVjgnui6ucT5UtVPSTVoJ
M6wraValAp3iCvSWJYJ5tRlcBGq/zXyplD6gM9l+I/4cw4Z+zH4XH1yoBJbkmfSm
+V5AIqlzgqwjWbZ87h/FZQnolOLtZhX+MmsH+oUmDEC5vldf1EXKoIixTpXhAgHd
b/KF9saD8Ks4vv4rYUab
=ihF7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org