tags:

views:

145

answers:

1
Q: 

Tomcat Referrer Lockdown

I know using referrer is a bad idea but I need a quick fix to lockdown content inside a folder on a tomcat application this is just the temp fix until we can get a long term one in place.

I would like to use the referrer header to block off site linking to one directory. I need to do this directly in Tomcat if possible.

Thanks for any help.

+1  A: 

The HTTP Referer header is spoofable, trivially, I might add. I would advise against this approach. A better (more secure) way to lock down access to a folder in your web application is to add a <security-constraint> in your WEB-INF/web.xml.

If you want to restrict by client IP address, you could use the Remote Address Filter Valve.

Asaph  2009-12-22 17:38:08
Can the app still point to files with a standard url then? I have a web app which isn't correct or something I can change in the short term that simply links to the content which I need to make somewhat hidden if I could at least do referer header I thought it would help in the short term.
Jeff Beck  2009-12-22 17:46:37
@Jeff Beck: It's security by obscurity. Anyone who wants to access it still can. All they have to do is know what referer to put in the header. If your user is authenticated, you can restrict by role. Will that work for you?
Asaph  2009-12-22 17:48:39
@Jeff Beck: If you want to restrict by client IP address, you could use the Remote Address Filter Valve. I updated my answer to include this.
Asaph  2009-12-22 17:53:43
The users are authenticated by the application but I can't make any changes to the app in the timeline that this needs to be starting to addressed. I will try the security-constraint and see how it is going.
Jeff Beck  2009-12-22 17:58:07

related questions

Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
How to avoid temporary file creation on server-side when pushing back full HTML content to clients?
What tools are there for timed batch processes in J2EE?
Eclipse - How can I change a 'Project Facet' from Tomcat 6 to Tomcat 5.5?
What must I do to make content such as images served over HTTPS be cached client-side?
Packaging up Tomcat
What is the Simplest Tomcat/Apache Connector (Windows)?
Wildcards for resources in a Tomcat Servlet's context.xml
How to debug a JSP tomcat service using eclipse?
Why does Tomcat 5.5 (with Java 1.4, running on Windows XP 32-bit) suddenly hang?
In Tomcat how can my servlet determine what connectors are configured?
tomcat5 fails to start on CentOS 5 with NoClassDefFoundError exception
Accessing Tomcat Context Path from Servlet
Unit-testing servlets
Some Tomcat webapps not opening
Java ConnectionPool connection not closing, stuck in 'sleep'
Tomcat vs Weblogic JNDI Lookup
Tomcat doFilter() invoked with committed response
Difference between the Apache HTTP Server and Apache Tomcat?
Should you run one or multiple applications per tomcat cluster?
Invalid <url-pattern> servlet mapping in tomcat 6.0
How do you configure tomcat to bind to a single ip address (localhost) instead of all addresses?
Java+Tomcat, Dying databse connection?
Arrays of Arrays in Java