The images are requested directly by the browser, so they must be accessible from the outside. Here's a little browser-server dialog to illustrate how it works:
Browser: please give me /DoSomething.do Server: Here you go... (server invokes Struts action servlet, action servlet invokes the requested action, action says it wants to forward to a JSP, action servlet does the forward...) <html><img src="/images/bitchin_camaro.jpg"></html> Browser: please give me /images/bitchin_camaro.jpg Server: Here you go... 24927image247data7902578259image293data85984396574389... The request for the action returns HTML. The browser reads the HTML and sees that it references an image. The browser then makes a separate request for the image file so that it can render the page. The image file must be "request-able" by the browser or it won't show up when someone wants to view the page. -Max ----- Original Message ----- From: "lixin chu" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Thursday, January 15, 2004 5:07 PM Subject: RE: JSP Protection > I can successfully move all the files into > /WEB-INF/subfolder (WEB-INF is protected by default) > except the images/ folder. It seems that I have to > leave it outside - in the webapp root. > I am using Tomcat 5.0.16. Is it a defect or it is like > this ? > > --- "Karr, David" <[EMAIL PROTECTED]> wrote: > > Put all JSP pages that can't be accessed directly > > into a security constraint, only accessible by the > > role "nobody", which you will never add a user to. > > All accesses of JSPs will be through forwards from > > actions, which will not be blocked by that security > > constraint (unless you either have a broken web > > container or a Servlet 2.4 container where you've > > enabled auth on forward). > > > > -----Original Message----- > > From: J黵gen Scheffler > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, January 15, 2004 8:15 AM > > To: [EMAIL PROTECTED] > > Subject: JSP Protection > > > > > > Hi, > > > > how do i block URL guessing? > > if someone requests abc.com/secret_page.jsp > > he gets it. In my Action i check if the user object > > has the right rights for this action and then i > > forward him. But if guesses the jsp, he opens it. > > > > Help me! > > > > J黵gen > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes > http://hotjobs.sweepstakes.yahoo.com/signingbonus > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]