Carl,
Chris and Chuck have already provided great insights. Below are few
thoughts to consider.
On 3/9/15 12:04 PM, Carl Dreher wrote:
> > I need to restrict access to a website's images, to people that
> > have logged on, have authorization etc. I've searched though the
> > Tomcat user's mailing list archives and didn't find a discussion
> > that addressed this, so I thought I'd asked for some architectural
> > guidance.
> >
>
Are these images static, i.e. built-in into the application, or they are
dynamic (provided by the admins/users of your application)?
> > My initial thought is to have the src parameter in an html <img
> > src="url" /> point to a servlet instead of a static image in the
> > web app. The servlet would check the session and verify that the
> > requester is logged-in and then return the appropriate image.
> > Seems straight forward. Is there a better way? I read some
> > threads about Tomcat filters but that seems like overkill.
>
> Writing a new servlet to do this is quite a bit of overkill: the
> DefaultServlet will do this better than you can. See Chuck's message
> for a hint on how to protect resources within your web application.
>
> - -chris
>
As Chris pointed out, writing your own Servlet to serve static images is
probably an overkill if your images are packaged with the application.
However, if your images are dynamic, e.g. provided by the users(admins) of
your application and stored in the database, then you might be a good idea
to write a custom ImageServlet that serves images from the database.
We don't know enough about your use case to suggest one or the other.
Chuck has pointed you to the Servlet API to read upon security. Definitely,
you need to understand how your application handles security. So, what's
the best for your particular application - it really depends on how you are
implementing web security in your app. Did you implement your own security
layer? Are you using a third-party product for web security?
The easiest way to achieve this image filtering would be to write a servlet
filter that you can apply to incoming image URLs, check if the user's data
is in HTTP session, and then proceed with original request or send some
other data back (for non-authenticated requests).
Here's an illustration:
@WebFilter("/images/*")
public class SecurityImageFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession(false);
if ( session != null && session.getAttribute("USER") != null ) {
chain.doFilter(request, response);
return;
}
try
(OutputStream out = response.getOutputStream())
{
String path = request.getServletContext().getRealPath(File.separator);
File file = new File(path + "images/not_available.png");
BufferedImage bufferedImage = ImageIO.read(file);
ImageIO.write(bufferedImage, "png", out);
} catch (IOException ioe) {
ioe.printStackTrace();
}
}
}
And then in your HTML you just refer with <img src="...." />, e.g.
<html>
<h1>MyApp::home</h1>
<img src="images/tomcat.png" />
</html>
So, the filter would intercept the call to all "images/*" and replace
response based if USER data was found in session or not ...
Great thing about filters is that you can easily customize how they are
applied and to what URLs. Many applications handle security using a
security filter that inspects the session data, and redirects to login if
the user is not logged in.
Hope that helps!
Cheers!
Neven
