This is so users can't randomly access pages that need to be completed in sequence, load a bookmarked order checkout page that could be missing state information required to generate the page correctly, etc. A great solution to a common problem!
Since this is a stand-alone Filter, you might be able to extend it or use it as a starting point for a new filter that meets your requirements.
Here is the filter config as defined in web.xml.
<filter>
<filter-name>ContextSecurityFilter</filter-name>
<display-name>ContextSecurityFilter</display-name>
<filter-class>org.ofbiz.core.control.ContextSecurityFilter</filter- class>
<init-param>
<param-name>allowedPaths</param-name>
<param-value>/control:/index.html:/index.jsp:/default.html:/ default.jsp:/images:/includes/maincss.css:/includes/datepicker.js</ param-value>
</init-param>
<init-param><param-name>errorCode</param-name><param-value>403</param- value></init-param>
<init-param><param-name>redirectPath</param-name><param-value>/ control/main</param-value></init-param>
</filter>
<filter-mapping>
<filter-name>ContextSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
~Scott
On Monday, June 9, 2003, at 01:29 PM, Dean Fantham wrote:
There is no guaranteed way to stop someone directly access a gif image via a browser url, because this is how an image is accessed by the browser itself anyways. The browser just makes a HTTP get request to the web-server (in this case tomcat) requesting the URL of the image to be included in the web page.
i.e. in a standard jsp/servlet response to a web request the image request is embedded in a <img src=".../somedir/some-img.gif">. This is going to cause a browser request directory to the directory containing the image, which can also be duplicated in the browser.
The only potential method that can catch most (but not all) of these
would be to create a separate image handling jsp/servlet, say
imageHandler. When imageHanlder servlet recieves an image request it
can check the http-referrer header and ensure that the referrer is the
url of the page to which the images are supposed to load, i.e. is the
page containing the images in /servlet/somepage then the http-referrer
that imageHandler see should be able to checked that it is
/servlet/somepage. Someone can circumvent this control by the Internet,
but just manually setting this header themselves (via a program or the
like) and then having access directly to the images
You would then have to update all image referrences on the somepage servelt/jsp however to something like <img src="/servlet/imagehandler?gif=somerefernce">.
On Mon, 2003-06-09 at 18:32, Syed Nayyer Kamran wrote:
hi there,
I want to restrict the user to access the images directly through the web. They should be able to access these images through web pages developed as jsp/servlet but should not be able to access these images displayed on page by copying the image url to the address bar. Is tomcat directly support this functionality. or any other solution.
Thanks in advance for any solution of the problem.
Nayyer Kamran
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
