Maurice, > The answer is the latter: authentication required. > In fact, there are three levels of privacy on these images and documents: > public: (everyone can view) > passworded: (password required for viewing: say, your > family only. This pw specific to these views) > private: (only you, the owner, have access - so only your > login permits you to see these views) > > Presumably, most views are public, but this has to be the owner's > decision, no ?
If you want to check to see if a remote request for an image is valid, you will have to run all your images through a servlet in order to determine authorization. Since each image could have different authorization settings, you can't just use the servlet container's built-in authorization (set up in web.xml). You will have to enforce this yourself. Just configure your webapp to serve "/images/*" through a servlet that you write. This servlet will check the permissions on the URI (I'm assuming that you have this information in a database or other data store), and then possibly consult the user and/or their relationships to determine of the request should be served, or if you should return an "access denied" image instead. Would that solve your problem? If so, I think your original question was poorly worded. I think we all thought you were asking how to prevent downloading of images in general (which is pretty much impossible... images served by web servers are designed to be, well, downloaded). -chris
signature.asc
Description: OpenPGP digital signature