Re: Protecting files question
A better choice, at least in my mini brainiverse ;-) would be a servlet. You then map an url pattern and have a 100% transparent solution. One major benefit is the possibility to exchange the, for eg., file system based servlet with a DB based one without needing to change even one line of code in your application. Just modify your web.xml servlet entry and add the necessary .jar or .class files ... Only my 2 cents, Chris Joe Hertz wrote: Okay, so I do write the image out. Whew. Very helpful. tx. I'm writing the files above my app's directory, so as long as tomcat doesn't let people use ".." in their URL's, I don't see a problem here. If the Action itself checks for user validity, and the files aren't accessible any other way, would that be enough? Problem is, I'm keenly aware that it's what I am NOT anticipating that will bite me in the arse. tx again -J -Original Message- From: João Vieira da Luz [mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 7:09 PM To: Struts Users Mailing List Subject: Re: Protecting files question Hi, The Blob or file system are very similar in what concerns security. In the first one you have to do an action that writes the file into the output stream. Suppose that your files have and action is called /showFile. Html should look like this; About security: IMO you have two choices. The first one is to create a HttpFilter that filters the requests for your files and decide if the remote user has the privileges to read the file requested. The second is to implement the preprocess method on Struts RequestProcessor. Hope this help you, João On Sun, 12 Sep 2004 18:56:13 -0400, Joe Hertz <[EMAIL PROTECTED]> wrote: This has probably been asked before. Apologies if so, I didn't see anything close enough. This exact scenario is a bit different and more complicated than this, but if this problem can be solved, I can work out the rest. Say I want people to upload images using html:file, and have implemented that successfully. Now people get to view images (login role and other things determines what images they get to see). But how to protect those files from unauthorized viewing? I could store the images in BLOB's in the database. That would achieve security...But If I do that, how do they get to the user using the img tag? Utter guess: This how the action attribute on the tag works, and I'd write the file to the output stream in an action??? I can't imagine that this would be the right answer (html source would then look like...I have absolutely no idea) Alternatively, say I don't want to store them as BLOB's, and just use the file system. How do I keep people from potentially pointing their browsers at the right URL and viewing files they aren't entitled to see? How does one build security onto this type of app? TIA -Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Protecting files question
Okay, so I do write the image out. Whew. Very helpful. tx. I'm writing the files above my app's directory, so as long as tomcat doesn't let people use ".." in their URL's, I don't see a problem here. If the Action itself checks for user validity, and the files aren't accessible any other way, would that be enough? Problem is, I'm keenly aware that it's what I am NOT anticipating that will bite me in the arse. tx again -J > -Original Message- > From: João Vieira da Luz [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 12, 2004 7:09 PM > To: Struts Users Mailing List > Subject: Re: Protecting files question > > > Hi, > > The Blob or file system are very similar in what concerns security. > > In the first one you have to do an action that writes the file into > the output stream. Suppose that your files have and action is called > /showFile. > > Html should look like this; > > > About security: > > IMO you have two choices. The first one is to create a HttpFilter that > filters the requests for your files and decide if the remote user has > the privileges to read the file requested. > > The second is to implement the preprocess method on Struts > RequestProcessor. > > Hope this help you, >João > > > > > > On Sun, 12 Sep 2004 18:56:13 -0400, Joe Hertz > <[EMAIL PROTECTED]> wrote: > > This has probably been asked before. Apologies if so, I > didn't see anything > > close enough. > > > > This exact scenario is a bit different and more complicated > than this, but > > if this problem can be solved, I can work out the rest. > > > > Say I want people to upload images using html:file, and > have implemented > > that successfully. > > > > Now people get to view images (login role and other things > determines what > > images they get to see). > > > > But how to protect those files from unauthorized viewing? > > > > I could store the images in BLOB's in the database. That > would achieve > > security...But If I do that, how do they get to the user > using the img tag? > > Utter guess: This how the action attribute on the tag > works, and I'd write > > the file to the output stream in an action??? I can't > imagine that this > > would be the right answer (html source would then look like...I have > > absolutely no idea) > > > > Alternatively, say I don't want to store them as BLOB's, > and just use the > > file system. How do I keep people from potentially pointing > their browsers > > at the right URL and viewing files they aren't entitled to see? > > > > How does one build security onto this type of app? > > > > TIA > > > > -Joe > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Protecting files question
Hi, The Blob or file system are very similar in what concerns security. In the first one you have to do an action that writes the file into the output stream. Suppose that your files have and action is called /showFile. Html should look like this; About security: IMO you have two choices. The first one is to create a HttpFilter that filters the requests for your files and decide if the remote user has the privileges to read the file requested. The second is to implement the preprocess method on Struts RequestProcessor. Hope this help you, João On Sun, 12 Sep 2004 18:56:13 -0400, Joe Hertz <[EMAIL PROTECTED]> wrote: > This has probably been asked before. Apologies if so, I didn't see anything > close enough. > > This exact scenario is a bit different and more complicated than this, but > if this problem can be solved, I can work out the rest. > > Say I want people to upload images using html:file, and have implemented > that successfully. > > Now people get to view images (login role and other things determines what > images they get to see). > > But how to protect those files from unauthorized viewing? > > I could store the images in BLOB's in the database. That would achieve > security...But If I do that, how do they get to the user using the img tag? > Utter guess: This how the action attribute on the tag works, and I'd write > the file to the output stream in an action??? I can't imagine that this > would be the right answer (html source would then look like...I have > absolutely no idea) > > Alternatively, say I don't want to store them as BLOB's, and just use the > file system. How do I keep people from potentially pointing their browsers > at the right URL and viewing files they aren't entitled to see? > > How does one build security onto this type of app? > > TIA > > -Joe > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Protecting files question
Okay, the action attribute was actually the obvious choice (matching the same attribute on the link tag). So how does one do this? > -Original Message- > From: Joe Hertz [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 12, 2004 6:56 PM > To: 'Struts Users Mailing List' > Subject: Protecting files question > > > This has probably been asked before. Apologies if so, I > didn't see anything > close enough. > > This exact scenario is a bit different and more complicated > than this, but > if this problem can be solved, I can work out the rest. > > Say I want people to upload images using html:file, and have > implemented > that successfully. > > Now people get to view images (login role and other things > determines what > images they get to see). > > But how to protect those files from unauthorized viewing? > > I could store the images in BLOB's in the database. That would achieve > security...But If I do that, how do they get to the user > using the img tag? > Utter guess: This how the action attribute on the tag works, > and I'd write > the file to the output stream in an action??? I can't imagine > that this > would be the right answer (html source would then look like...I have > absolutely no idea) > > Alternatively, say I don't want to store them as BLOB's, and > just use the > file system. How do I keep people from potentially pointing > their browsers > at the right URL and viewing files they aren't entitled to see? > > How does one build security onto this type of app? > > TIA > > -Joe > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Protecting files question
This has probably been asked before. Apologies if so, I didn't see anything close enough. This exact scenario is a bit different and more complicated than this, but if this problem can be solved, I can work out the rest. Say I want people to upload images using html:file, and have implemented that successfully. Now people get to view images (login role and other things determines what images they get to see). But how to protect those files from unauthorized viewing? I could store the images in BLOB's in the database. That would achieve security...But If I do that, how do they get to the user using the img tag? Utter guess: This how the action attribute on the tag works, and I'd write the file to the output stream in an action??? I can't imagine that this would be the right answer (html source would then look like...I have absolutely no idea) Alternatively, say I don't want to store them as BLOB's, and just use the file system. How do I keep people from potentially pointing their browsers at the right URL and viewing files they aren't entitled to see? How does one build security onto this type of app? TIA -Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]