-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Carl,
On 3/9/15 12:04 PM, Carl Dreher wrote: > I need to restrict access to a website's images, to people that > have logged on, have authorization etc. I've searched though the > Tomcat user's mailing list archives and didn't find a discussion > that addressed this, so I thought I'd asked for some architectural > guidance. > > My initial thought is to have the src parameter in an html <img > src="url" /> point to a servlet instead of a static image in the > web app. The servlet would check the session and verify that the > requester is logged-in and then return the appropriate image. > Seems straight forward. Is there a better way? I read some > threads about Tomcat filters but that seems like overkill. Writing a new servlet to do this is quite a bit of overkill: the DefaultServlet will do this better than you can. See Chuck's message for a hint on how to protect resources within your web application. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU/eLOAAoJEBzwKT+lPKRYd7YP/iw8oo8QJSPzv47LuW6j25v2 95thD+XAc+FtZTthOWgcbBtPneKkCLxNaw+SMWKuDAKP9Aj2zLH8Bf3dTJIHnbEf D+saSH2U9kGuojEhIVAXLWz/REj84t7FJEzdyrZM0MQcDjxcwGeD5Ypm9zHIXFKD C9HBzf+QVRbaT8YgH1T7WFbDfrRF53cM6u8+oQ9cZlrI7wuYhXxdfpo00tMxaKvm I6uYfba0qJWtVl9IGPxmZUlsiT+R2xfQr9GPQrvhSV4QAGilEgd07aAOqkGLVrfm fMCGOyed7LHcuKIXM6nmUMuEU2PHqNHguAyBz8uLho7Q33sk5hrTXplKo6wpbC3A oUgbV3PrdRWgNs43poL5TsPvEJl2LNjxm1PoTt7MSCnW26mQORdBfgAnpLlIFOd0 JTXgew/ZnOq6mrnRCveCQe1egA/4rVJww2yRetr5/GUwBNpO+Kt8rDvhZZaojPSz i9e2B5iNJMBVUjduAJ8I6vUb755wW3xyrZxfhzmYPgTYVjgnui6ucT5UtVPSTVoJ M6wraValAp3iCvSWJYJ5tRlcBGq/zXyplD6gM9l+I/4cw4Z+zH4XH1yoBJbkmfSm +V5AIqlzgqwjWbZ87h/FZQnolOLtZhX+MmsH+oUmDEC5vldf1EXKoIixTpXhAgHd b/KF9saD8Ks4vv4rYUab =ihF7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
