tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Iñaki <>
Subject Forbid access to files to non-authenticated requests
Date Fri, 25 Apr 2003 13:14:47 GMT
Hi guys,

I'm implementing some web services based on Java & JSP. I'm using Apache for 
serving the static contents and Tomcat(3.2) for jsp's & servlets. Everything on 

Some of the pages require authentication, and I manage this at program level: 
if the user authentications against the database is positive, session becomes 
valid and the pages are returned.

My question starts here:
this pages can contain links to files for displaying and/or downloading 
(images, documents, zips...). Although the 'container' pages cannot be returned 
without positive authentication, nothing prevents a non-authenticated user to 
access the referenced files (the files referenced in the links) just by knowing 
the path and entering it in the browser.

Does anybody know a way of restricting the direct access to these 'referenced' 
files unless the request comes from an authenticated session?

One possible solution I'm thinking is to create a special handler and add such 
couple of lines to the file 'tomcat-apache.conf':
     AddType      root/zipfiles .zip
     AddHandler   newHandlerForZips .zip

This looks quite complex for me and maybe there is another simpler soluion I'm 
missing. Any idea? In case this is the solution, how complex is to develop a 

Any input appreciated.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message