• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Protection of images

 
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am facing a security issue.
I am generating pdf files on the fly.Now the url suppose is
http://localhost:8080/Search/imgid=1
Now once user is authenticated and session is established,he can make any hit saying http://localhost:8080/Search/imgid=1,
http://localhost:8080/Search/imgid=2,http://localhost:8080/Search/imgid=3.
Though he is not suppose to see them.Is there any way to restrcit this.
I have hidden menubar but in firefox you can change options easily and view the menubar.How can I achieve such mechanism to restrict user.

Thanks.
 
Marshal
Posts: 67447
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Keep information on the server regarding which user is authorized to view which files and enforce it there. As you have discovered, you can never trust any data coming from the client -- always validate/authorize on the server.
 
Pallavi Srivastava
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Its a difficult situation for me as the system has public access.And after login and password user will get access to whole system.
But then we dont want that he should able to access images by changing image ids.
I tried by opening window by disabling menu bar so user cannot see url but in firefox you can override this option easily.
Can there any other way?
Also I am opening new windows so I am using "get" method.
The moment user session is established he can view images by changing different ids.This will affect the performance of system too since these pdfs are made on the fly.
If there is no way then guess I have to suggest the changes in the design of system which will be a long process!
 
Bear Bibeault
Marshal
Posts: 67447
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Can there any other way?



I already gave you that answer. You need to create some means on the server to know who is authorized to view what and enforce that when the file is requested.

Relying on hiding things at the client is no security at all.
 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi pallavi, use client side scripting language and check if the image id that the user is trying to access...is he allowed for that. if yes allow him to send the request otherwise block the request.

For this once the user session starts you need to pass the valid ids that he can work with on the client side.

+91-9986461501
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Exactly what happens when a request for an image is made?

Those URLs appear to be addressing a servlet which interprets the imgid and creates a pdf on the fly or serves an existing file. If so then the servlet will always have the session assocated with that user and can determine if access is legal.
Bill
 
Bear Bibeault
Marshal
Posts: 67447
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by NareshA WaswaniA:
hi pallavi, use client side scripting language and check if the image id that the user is trying to access...is he allowed for that. if yes allow him to send the request otherwise block the request.



Not a good suggestion. The client-side activity is much too easy to spoof to be relied upon. The check must be made on the server.
 
Pallavi Srivastava
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Thank you for suggestions.
Basically its like public records which we access day today.
Everything is public but then we dont want person to view images by typing url in the browser window and access images sequentially.Since its not good for security point of view and also increses load on server(pdf generation with images is expensive operation).
The database is preexeisting and doesnt have restrictions as such.When user clicks on each "view image" link, I am sending to a jsp(in new browser window) where a new session is created and then send to servlet which access session values and if they are present then generates pdf on the fly.After that I nullify session.
But problem is user when get session he types anything on browser window since he is validated and access images.
But as Bear has said client side security is no security, I need to discuss with managers to change database and apply security at server side.

Thanks.
 
author & internet detective
Posts: 40198
816
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Pallavi Srivastava:
Everything is public but then we dont want person to view images by typing url in the browser window and access images sequentially


It actually sounds like your requirement isn't security, but limiting flow.

You could give the user a token when they get to the form page that is good to view exactly one image. When the form requests an image/PDF, you check the sent token is the same as the one in the session and remove it from the session. This prevents people from circumventing your form.
 
Always look on the bright side of life. At least this ad is really tiny:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic