• Post Reply Bookmark Topic Watch Topic
  • New Topic

Protection of images  RSS feed

 
Pallavi Srivastava
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am facing a security issue.
I am generating pdf files on the fly.Now the url suppose is
http://localhost:8080/Search/imgid=1
Now once user is authenticated and session is established,he can make any hit saying http://localhost:8080/Search/imgid=1,
http://localhost:8080/Search/imgid=2,http://localhost:8080/Search/imgid=3.
Though he is not suppose to see them.Is there any way to restrcit this.
I have hidden menubar but in firefox you can change options easily and view the menubar.How can I achieve such mechanism to restrict user.

Thanks.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Keep information on the server regarding which user is authorized to view which files and enforce it there. As you have discovered, you can never trust any data coming from the client -- always validate/authorize on the server.
 
Pallavi Srivastava
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Its a difficult situation for me as the system has public access.And after login and password user will get access to whole system.
But then we dont want that he should able to access images by changing image ids.
I tried by opening window by disabling menu bar so user cannot see url but in firefox you can override this option easily.
Can there any other way?
Also I am opening new windows so I am using "get" method.
The moment user session is established he can view images by changing different ids.This will affect the performance of system too since these pdfs are made on the fly.
If there is no way then guess I have to suggest the changes in the design of system which will be a long process!
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can there any other way?


I already gave you that answer. You need to create some means on the server to know who is authorized to view what and enforce that when the file is requested.

Relying on hiding things at the client is no security at all.
 
NareshA WaswaniA
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi pallavi, use client side scripting language and check if the image id that the user is trying to access...is he allowed for that. if yes allow him to send the request otherwise block the request.

For this once the user session starts you need to pass the valid ids that he can work with on the client side.

+91-9986461501
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Exactly what happens when a request for an image is made?

Those URLs appear to be addressing a servlet which interprets the imgid and creates a pdf on the fly or serves an existing file. If so then the servlet will always have the session assocated with that user and can determine if access is legal.
Bill
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by NareshA WaswaniA:
hi pallavi, use client side scripting language and check if the image id that the user is trying to access...is he allowed for that. if yes allow him to send the request otherwise block the request.


Not a good suggestion. The client-side activity is much too easy to spoof to be relied upon. The check must be made on the server.
 
Pallavi Srivastava
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Thank you for suggestions.
Basically its like public records which we access day today.
Everything is public but then we dont want person to view images by typing url in the browser window and access images sequentially.Since its not good for security point of view and also increses load on server(pdf generation with images is expensive operation).
The database is preexeisting and doesnt have restrictions as such.When user clicks on each "view image" link, I am sending to a jsp(in new browser window) where a new session is created and then send to servlet which access session values and if they are present then generates pdf on the fly.After that I nullify session.
But problem is user when get session he types anything on browser window since he is validated and access images.
But as Bear has said client side security is no security, I need to discuss with managers to change database and apply security at server side.

Thanks.
 
Jeanne Boyarsky
author & internet detective
Sheriff
Posts: 36446
454
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Pallavi Srivastava:
Everything is public but then we dont want person to view images by typing url in the browser window and access images sequentially

It actually sounds like your requirement isn't security, but limiting flow.

You could give the user a token when they get to the form page that is good to view exactly one image. When the form requests an image/PDF, you check the sent token is the same as the one in the session and remove it from the session. This prevents people from circumventing your form.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!