You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Thierry RAIBAUT <th...@libertysurf.fr> on 2001/11/05 14:48:48 UTC

javascript access protection

Hello,

could somebody explain me how is it possible to protect some ressources from direct access.

I think about a javascript directory.
This directory has to be accessed by some JSP pages, but I do not want the user to access this directory
directly with the browser by setting the javascript file url.

I move my javascript directory under web-inf but by doing this, js files are no longer available even for jsp pages.

thanks a lot for your help.

Thierry

Re: javascript access protection

Posted by Pier Fumagalli <pi...@betaversion.org>.
Thierry RAIBAUT at thierry.raibaut@libertysurf.fr wrote:

> Hello,
> 
> could somebody explain me how is it possible to protect some ressources from
> direct access.
> 
> I think about a javascript directory.
> This directory has to be accessed by some JSP pages, but I do not want the
> user to access this directory
> directly with the browser by setting the javascript file url.
> 
> I move my javascript directory under web-inf but by doing this, js files are
> no longer available even for jsp pages.
> 
> thanks a lot for your help.

Its pointless to keep re-writing the same question over and over (blocked 3
in moderation, one got thru, apparently) if you don't read the answers
(DOH!)... I replied last week:

------ Forwarded Message
From: Pier Fumagalli <pi...@betaversion.org>
Reply-To: "Tomcat Users List" <to...@jakarta.apache.org>
Date: Sat, 03 Nov 2001 17:30:44 +0000
To: Tomcat Users List <to...@jakarta.apache.org>
Subject: Re: javascript access protection.

Javascripts are interpreted BY THE CLIENT, not by the server, so no matter
what, the client NEEDS to se that .js file, and needs to be able to download
it.

    Pier

------ End of Forwarded Message

Dean tooo...

------ Forwarded Message
From: "Deacon Marcus" <de...@wwtech.pl>
Reply-To: "Tomcat Users List" <to...@jakarta.apache.org>
Date: Sat, 3 Nov 2001 21:07:56 +0100
To: "Tomcat Users List" <to...@jakarta.apache.org>
Subject: RE: javascript access protection.

Hi,

There's no "real" protection since the files in question would end up in
browser's cache, no matter disk or memory, anyway.
Try setting a filter on the directory containing the .js files and checking
for "referer" http header. It's not a real solution, you could still telnet
:80 and write GET /dir/file.js2 HTTP/1.1 [enter] Referer:
http://server/file.jsp [enter] [enter] and get the file, but it's the best
you can do. Filters are 2.3 of course.

Greetings, deacon Marcus

------ End of Forwarded Message

And Ralph today.

------ Forwarded Message
From: "Ralph Einfeldt" <ra...@uptime-isc.de>
Reply-To: "Tomcat Users List" <to...@jakarta.apache.org>
Date: Mon, 5 Nov 2001 15:15:55 +0100
To: "Tomcat Users List" <to...@jakarta.apache.org>
Subject: AW: javascript access protection


You have following choices:
- Suppress the access to the javascript files if the referrer
  is empty. Implement a filter in tc 4.0)
  Disadvantage: You won't win much, because anybody who is
  interested in the file can get it with ie ('save page as')
- security by obscurity
  scramble the javascript, so that it's hard
  to read. (At least requires some work for
  the spy)
  Disadvantage: You won't win much either, but have
  additional work.

------ End of Forwarded Message



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>