-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pid,
On 9/23/2011 5:59 AM, Pid wrote: > Your code could request.forward() to another Servlet which > actually returned the image, or could read the image from where it > was stored & serve it directly into the outputstream. Direct-serving would be better since protecting one URL and then forwarding to another (unprotected) URL is merely security through obscurity. This really seems like a good place to use a Filter: just map the Filter to the appropriate URI space, parse the portion of the URI that must match the username, then check it against the Principal in the request. Return 403 if there isn't a match. Of course, we'll find out that there is some other insane requirement, later, that makes this impractical. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6A2+wACgkQ9CaO5/Lv0PAHlgCgrTVBA8TbCtzrJxWnOZZbfkvR z84AoI+4HhN8ZtzV7/Tzt0m8n+mDl15i =KXE6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
