tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Turner <>
Subject Re: Forbid access to files to non-authenticated requests
Date Fri, 25 Apr 2003 13:19:57 GMT

In my mind, the simplest solution is to put these files someplace where 
they are protected (like under WEB-INF).

Then, the link on the page is simply a link to a JSP with a URL parameter 
of the file requested.  Your JSP can authenticate against the session, and 
if OK, read the file from the disk into a buffer and stream it out to the 


On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <> wrote:

> Hi guys,
> I'm implementing some web services based on Java & JSP. I'm using Apache 
> for serving the static contents and Tomcat(3.2) for jsp's & servlets. 
> Everything on W2K.
> Some of the pages require authentication, and I manage this at program 
> level: if the user authentications against the database is positive, 
> session becomes valid and the pages are returned.
> My question starts here:
> this pages can contain links to files for displaying and/or downloading 
> (images, documents, zips...). Although the 'container' pages cannot be 
> returned without positive authentication, nothing prevents a non- 
> authenticated user to access the referenced files (the files referenced 
> in the links) just by knowing the path and entering it in the browser.
> Does anybody know a way of restricting the direct access to these 
> 'referenced' files unless the request comes from an authenticated 
> session?
> One possible solution I'm thinking is to create a special handler and add 
> such couple of lines to the file 'tomcat-apache.conf':
> AddType      root/zipfiles .zip
> AddHandler   newHandlerForZips .zip
> This looks quite complex for me and maybe there is another simpler 
> soluion I'm missing. Any idea? In case this is the solution, how complex 
> is to develop a handler?
> Any input appreciated.
> Cheers,
> Iñaki.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Using M2, Opera's revolutionary e-mail client:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message