Hi guys,
I'm implementing some web services based on Java & JSP. I'm using Apache for
serving the static contents and Tomcat(3.2) for jsp's & servlets. Everything on
W2K.
Some of the pages require authentication, and I manage this at program level:
if the user authentications against the database is positive, session becomes
valid and the pages are returned.
My question starts here:
this pages can contain links to files for displaying and/or downloading
(images, documents, zips...). Although the 'container' pages cannot be returned
without positive authentication, nothing prevents a non-authenticated user to
access the referenced files (the files referenced in the links) just by knowing
the path and entering it in the browser.
Does anybody know a way of restricting the direct access to these 'referenced'
files unless the request comes from an authenticated session?
One possible solution I'm thinking is to create a special handler and add such
couple of lines to the file 'tomcat-apache.conf':
AddType root/zipfiles .zip
AddHandler newHandlerForZips .zip
This looks quite complex for me and maybe there is another simpler soluion I'm
missing. Any idea? In case this is the solution, how complex is to develop a
handler?
Any input appreciated.
Cheers,
Iñaki.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
|