Hiding URL from source

In my JSP page, I have the following

<a href='http://63.125.154.169:8080/private/Stream?uid=c0a8cc1173957eac2-7f22&quality=IM'><img src='../images/listen.gif' /></a>

When the user clicks on the link, the relevant file is opened. But the problem is that user can see the actual path in source as well as status bar. Since this is paid content we want to avoid it. Please let me know how this can be done.

If it's paid content, merely hiding the URL would be insufficient.

You should put the content in a directory that can't be seen directly from the
web. Then, write a servlet that streams the content to the browser after checking for a valid login. We have an example app in our CodeBarn that streams images from under the WEB-INF directory (which is not directly accessible from the web). Look for SimpleStream
All you'd need to do is add the security check.

Alternatively, you could write a filter that checks for a valid login before allowing access to anything, static or dynamic. This way you won't have to care if people know the URL because, without a valid login, they won't be able to get to the content anyway.

On my own site, I have an application with a filter that does this.
http://simple.souther.us/not-so-simple.html
Look for SessionMonitor.
The point of the app is to show how to track users but it has a filter that forwards the user to the login screen if they try to hit anything in the app without being logged in (including images, or static HTML pages.)

Along the lines of above, is there a way to render the image but hide the location even if the image file is not under the WEB-INF directory?

Trying to hide URLs and images sounds suspicious to me.

As mentioned, the application should be designed with the proper security to prevent unauthorized access. Aside, hiding URLs does not qualify as "proper" security.

Originally posted by James Clark:
Trying to hide URLs and images sounds suspicious to me.

As mentioned, the application should be designed with the proper security to prevent unauthorized access. Aside, hiding URLs does not qualify as "proper" security.

Why not?
Example: Requirement is to render the image for user reference; but not allow direct access to the image through a URL(like signature for a credit card transaction)

[ July 08, 2008: Message edited by: Kishore Dandu ]
[ July 08, 2008: Message edited by: Kishore Dandu ]

You can do things like requiring authorization, as already suggested. You can check things like the referer (the page which sent the request) or the user agent (the name of the browser which sent the request) as well, but both of those things can be forged by a program. The bottom line is, you can't tell whether a request came from a browser or from a well-written program pretending to be a browser. You can just catch the not-so-well-written programs.

Oh yeah. There are also Javascript tricks like having the link open in a new window with no address bar (so the address isn't visible). But again, that just hides the URL from the casual violator. The determined violator can find it easily by using (for example) the Live HTTP Headers plugin in Firefox to examine the headers of all the requests sent. Or by right-clicking the link and making it open in a tab instead of a window... there are plenty of ways to defeat that.

can i use a filter mechanism??

I can pre-define like www.123.com/... not to render in case not coming from www.123.com/xyz.

You can try. But knowing where it's coming from is not 100% guaranteed. You'll only be keeping out the people who don't want the material badly. Anyone who really wants it can probably spoof the system.

What are you really trying to accomplish?

Originally posted by Bear Bibeault:
You can try. But knowing where it's coming from is not 100% guaranteed. You'll only be keeping out the people who don't want the material badly. Anyone who really wants it can probably spoof the system.

What are you really trying to accomplish?

The requirement is to allow rendering image abc.png in a jsp file. But, if the user tries to render the same png by itself, we should stop them from doing that. The png url will be like www.abc.com/cgi-bin/1234.png

But why?

Originally posted by Bear Bibeault:
But why?

Let me rephrase a bit. It is a signature image. It is actually rendered by invoking xyz.com/cgi-bin/param123. It is placed in a JSP for user to see. But we do not want user to remember this url and look at the signature later, by rendering itself.

http://chart.apis.google.com/chart?cht=p3&chd=t:10.0,58.0,95.0,30.0,8.0,63.0&chs=450x200&chl=Hello|World|New

The Google service above creates the image at runtime. Pretty fancy stuff, I think. There is no "image file" to hide. No "Source" to look at.
[ July 09, 2008: Message edited by: James Clark ]

But even with images created on-the-fly, the image can be copied from the browser easily. Is this a concern? Or are you just concerned with later hits to the URL?

I'm wondering what "later" means. Is there some time cutoff after which the user shouldn't be able to see the image any more? Or should they only be shown it once? Or should they only be shown it in some context?

Originally posted by Bear Bibeault:
But even with images created on-the-fly, the image can be copied from the browser easily. Is this a concern? Or are you just concerned with later hits to the URL?

Concerns are with the later hits to the url of the image.

OK, if all you are concerned with is making it so that you can only visit the URL once, maybe this would work for you:

1) In the page controller for the page in which the image will appear, generate a random token (could be anything random)
2) Place this token in the session.
3) When generating the URL for the <img> tag that references the servlet that will serve up the image data, add the token as a request parameter.
4) When the image-serving servlet is called, check that the parameter exists and matches the one in the session. Only serve the image if it matches.
5) Remove the token from the session.

This should ensure that the image can only be served once, and only from a page that you generate containing the current token.
[ July 09, 2008: Message edited by: Bear Bibeault ]