tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Turner <tomcat-u...@johnturner.com>
Subject Re: Forbid access to files to non-authenticated requests
Date Fri, 25 Apr 2003 13:19:57 GMT

In my mind, the simplest solution is to put these files someplace where 
they are protected (like under WEB-INF).

Then, the link on the page is simply a link to a JSP with a URL parameter 
of the file requested.  Your JSP can authenticate against the session, and 
if OK, read the file from the disk into a buffer and stream it out to the 
client.

John

On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <419404@cepsz.unizar.es> wrote:

> Hi guys,
>
> I'm implementing some web services based on Java & JSP. I'm using Apache 
> for serving the static contents and Tomcat(3.2) for jsp's & servlets. 
> Everything on W2K.
>
> Some of the pages require authentication, and I manage this at program 
> level: if the user authentications against the database is positive, 
> session becomes valid and the pages are returned.
>
> My question starts here:
> this pages can contain links to files for displaying and/or downloading 
> (images, documents, zips...). Although the 'container' pages cannot be 
> returned without positive authentication, nothing prevents a non- 
> authenticated user to access the referenced files (the files referenced 
> in the links) just by knowing the path and entering it in the browser.
>
> Does anybody know a way of restricting the direct access to these 
> 'referenced' files unless the request comes from an authenticated 
> session?
>
> One possible solution I'm thinking is to create a special handler and add 
> such couple of lines to the file 'tomcat-apache.conf':
> AddType      root/zipfiles .zip
> AddHandler   newHandlerForZips .zip
>
> This looks quite complex for me and maybe there is another simpler 
> soluion I'm missing. Any idea? In case this is the solution, how complex 
> is to develop a handler?
>
>
> Any input appreciated.
>
>
> Cheers,
> Iñaki.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message