Be careful, or charliesheen.jpg will be looking for you! -Max
----- Original Message ----- From: "Nail, Evan Burke" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Friday, January 16, 2004 5:19 AM Subject: [FRIDAY] RE: JSP Protection Perhaps I have a different browser, but mine keeps asking for /images/deniserichards.jpg hmmm -----Original Message----- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 7:20 PM To: Struts Users Mailing List Subject: Re: JSP Protection The images are requested directly by the browser, so they must be accessible from the outside. Here's a little browser-server dialog to illustrate how it works: Browser: please give me /DoSomething.do Server: Here you go... (server invokes Struts action servlet, action servlet invokes the requested action, action says it wants to forward to a JSP, action servlet does the forward...) <html><img src="/images/bitchin_camaro.jpg"></html> Browser: please give me /images/bitchin_camaro.jpg Server: Here you go... 24927image247data7902578259image293data85984396574389... The request for the action returns HTML. The browser reads the HTML and sees that it references an image. The browser then makes a separate request for the image file so that it can render the page. The image file must be "request-able" by the browser or it won't show up when someone wants to view the page. -Max ----- Original Message ----- From: "lixin chu" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Thursday, January 15, 2004 5:07 PM Subject: RE: JSP Protection > I can successfully move all the files into > /WEB-INF/subfolder (WEB-INF is protected by default) > except the images/ folder. It seems that I have to > leave it outside - in the webapp root. > I am using Tomcat 5.0.16. Is it a defect or it is like > this ? > > --- "Karr, David" <[EMAIL PROTECTED]> wrote: > > Put all JSP pages that can't be accessed directly > > into a security constraint, only accessible by the > > role "nobody", which you will never add a user to. > > All accesses of JSPs will be through forwards from > > actions, which will not be blocked by that security > > constraint (unless you either have a broken web > > container or a Servlet 2.4 container where you've > > enabled auth on forward). > > > > -----Original Message----- > > From: J黵gen Scheffler > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, January 15, 2004 8:15 AM > > To: [EMAIL PROTECTED] > > Subject: JSP Protection > > > > > > Hi, > > > > how do i block URL guessing? > > if someone requests abc.com/secret_page.jsp > > he gets it. In my Action i check if the user object > > has the right rights for this action and then i > > forward him. But if guesses the jsp, he opens it. > > > > Help me! > > > > J黵gen > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes > http://hotjobs.sweepstakes.yahoo.com/signingbonus > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ********************************************************************** This e-mail is the property of Enron Corp. and/or its relevant affiliate and may contain confidential and privileged material for the sole use of the intended recipient (s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender or reply to Enron Corp. at [EMAIL PROTECTED] and delete all copies of the message. This e-mail (and any attachments hereto) are not intended to be an offer (or an acceptance) and do not create or evidence a binding and enforceable contract between Enron Corp. (or any of its affiliates) and the intended recipient or any other party, and may not be relied on by anyone as the basis of a contract by estoppel or otherwise. Thank you. ********************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]