tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Iñaki <419...@cepsz.unizar.es>
Subject Re: Forbid access to files to non-authenticated requests
Date Fri, 25 Apr 2003 14:22:02 GMT
John,

Thanks a lot for the prompt answer. It's really a more simple solution than my 
initial thought.

I'm still missing something: As I understand it, it should work fine when 
displaying, either using the tag <A> or <IMG>. However, if client wants to save

the file (option 'save target as'), the proposed name to be saved will be the 
name of the request ('jspName.jsp?filename.ext'). Of course the user can 
manually change this name and give the right format, but is there a way to 
provide the 'save as' window with the right name? Maybe any parameter in the 
ServletResponse class?


Thanks,
Iñaki.


Mensaje citado por John Turner <tomcat-user@johnturner.com>:

> 
> In my mind, the simplest solution is to put these files someplace where 
> they are protected (like under WEB-INF).
> 
> Then, the link on the page is simply a link to a JSP with a URL parameter 
> of the file requested.  Your JSP can authenticate against the session, and 
> if OK, read the file from the disk into a buffer and stream it out to the 
> client.
> 
> John
> 
> On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <419404@cepsz.unizar.es> wrote:
> 
> > Hi guys,
> >
> > I'm implementing some web services based on Java & JSP. I'm using Apache 
> > for serving the static contents and Tomcat(3.2) for jsp's & servlets. 
> > Everything on W2K.
> >
> > Some of the pages require authentication, and I manage this at program 
> > level: if the user authentications against the database is positive, 
> > session becomes valid and the pages are returned.
> >
> > My question starts here:
> > this pages can contain links to files for displaying and/or downloading 
> > (images, documents, zips...). Although the 'container' pages cannot be 
> > returned without positive authentication, nothing prevents a non- 
> > authenticated user to access the referenced files (the files referenced 
> > in the links) just by knowing the path and entering it in the browser.
> >
> > Does anybody know a way of restricting the direct access to these 
> > 'referenced' files unless the request comes from an authenticated 
> > session?
> >
> > One possible solution I'm thinking is to create a special handler and add
> 
> > such couple of lines to the file 'tomcat-apache.conf':
> > AddType      root/zipfiles .zip
> > AddHandler   newHandlerForZips .zip
> >
> > This looks quite complex for me and maybe there is another simpler 
> > soluion I'm missing. Any idea? In case this is the solution, how complex 
> > is to develop a handler?
> >
> >
> > Any input appreciated.
> >
> >
> > Cheers,
> > Iñaki.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> 
> 
> 
> -- 
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message