Okay, so I do write the image out. Whew. Very helpful. tx. I'm writing the files above my app's directory, so as long as tomcat doesn't let people use ".." in their URL's, I don't see a problem here.
If the Action itself checks for user validity, and the files aren't accessible any other way, would that be enough? Problem is, I'm keenly aware that it's what I am NOT anticipating that will bite me in the arse. tx again -J > -----Original Message----- > From: Joćo Vieira da Luz [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 12, 2004 7:09 PM > To: Struts Users Mailing List > Subject: Re: Protecting files question > > > Hi, > > The Blob or file system are very similar in what concerns security. > > In the first one you have to do an action that writes the file into > the output stream. Suppose that your files have and action is called > /showFile. > > Html should look like this; > <img src="/showFile.do?id=<file id>"></img> > > About security: > > IMO you have two choices. The first one is to create a HttpFilter that > filters the requests for your files and decide if the remote user has > the privileges to read the file requested. > > The second is to implement the preprocess method on Struts > RequestProcessor. > > Hope this help you, > Joćo > > > > > > On Sun, 12 Sep 2004 18:56:13 -0400, Joe Hertz > <[EMAIL PROTECTED]> wrote: > > This has probably been asked before. Apologies if so, I > didn't see anything > > close enough. > > > > This exact scenario is a bit different and more complicated > than this, but > > if this problem can be solved, I can work out the rest. > > > > Say I want people to upload images using html:file, and > have implemented > > that successfully. > > > > Now people get to view images (login role and other things > determines what > > images they get to see). > > > > But how to protect those files from unauthorized viewing? > > > > I could store the images in BLOB's in the database. That > would achieve > > security...But If I do that, how do they get to the user > using the img tag? > > Utter guess: This how the action attribute on the tag > works, and I'd write > > the file to the output stream in an action??? I can't > imagine that this > > would be the right answer (html source would then look like...I have > > absolutely no idea) > > > > Alternatively, say I don't want to store them as BLOB's, > and just use the > > file system. How do I keep people from potentially pointing > their browsers > > at the right URL and viewing files they aren't entitled to see? > > > > How does one build security onto this type of app? > > > > TIA > > > > -Joe > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]