How to secure access to static resources in Spring

Question

I am serving images from a folder outside a web application. I stored images inside C:\source\Pictures. I configured this resource as a static resource in spring's servlet context file:

<resources location="file:///C:/source/Pictures/" mapping="/img_resources/**"/>

I display images stored in that folder using

<img src="<spring:url value='/img_resources/guinnes_choc_cake.jpg/'/>"></img>

It work well for me. However, I have security concerns. I would not want to expose a directory in my server to the public.1

Is there a way to built security around this folder in Spring ?

Answer 1

There's no particular reason to restrict access to static resources.

Given that the directory structure is well defined and file ordering is semantic (i.e. img_resources folder will contain images only), you should permit access to such resources, or even bypass filters altogether to avoid the overhead of passing through the filter chain, e.g.:

<sec:intercept-url pattern="/img_resources" filters="none" />

---

From the Spring Security tutorial:

We'd prefer not to have static resources processed by Spring Security's filters at all. To achieve this, you can add an additional <http> block which only applies to a specific pattern. This must come before the existing block, as it applies to a specific pattern. If no pattern attribute is supplied, the block applies to any request.

Answer 2

If you are using Spring Security you could add something like this to your Spring context file(s):

<sec:intercept-url pattern="/img_resources/**" access="isAuthenticated()" />