You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Anthony Smith <an...@fedex.com> on 2001/10/03 16:56:37 UTC
Secuirty Question
I am not really sure if this is a jetspeed question or not but I really need
an answer to this or I am screwed. I have some files (jpgs, html, jsp) that
I want to put permissions on. I know how I could do it for a jsp page, but
what about an image file? I dont want the user to be able to type in the
path and then be able to acess it like that. And if it there is no work
around for it at least have the ability to check permissions in a session or
somewhere before they allow them to go to the actual file. I cannot use a db
to ref the files for this one.
Please Help
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
Re: Secuirty Question
Posted by Santiago Gala <sg...@hisitech.com>.
Anthony Smith wrote:
>I am not really sure if this is a jetspeed question or not but I really need
>an answer to this or I am screwed. I have some files (jpgs, html, jsp) that
>I want to put permissions on. I know how I could do it for a jsp page, but
>what about an image file? I dont want the user to be able to type in the
>path and then be able to acess it like that. And if it there is no work
>around for it at least have the ability to check permissions in a session or
>somewhere before they allow them to go to the actual file. I cannot use a db
>to ref the files for this one.
>
Security of non-jetspeed objects (static content) can only be dealt with
using Web container security, i.e. HTTP authentication. See the
Apache/tomcat (or whatever servlet engine you are using) documentation
for how to protect HTTP resources with authentication.
You could try tricks like allowing only requests that include a certain
Referer: Header, but these are trivial to break and will not work.
>
>Please Help
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org