tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Turner <tomcat-u...@johnturner.com>
Subject Re: Forbid access to files to non-authenticated requests
Date Fri, 25 Apr 2003 14:24:31 GMT

Sorry, I have no clue if that's even possible.  Perhaps someone else does.

John

On Fri, 25 Apr 2003 16:22:02 +0200, Iñaki <419404@cepsz.unizar.es> wrote:

> John,
>
> Thanks a lot for the prompt answer. It's really a more simple solution 
> than my initial thought.
>
> I'm still missing something: As I understand it, it should work fine when 
> displaying, either using the tag <A> or <IMG>. However, if client wants 
> to save the file (option 'save target as'), the proposed name to be saved 
> will be the name of the request ('jspName.jsp?filename.ext'). Of course 
> the user can manually change this name and give the right format, but is 
> there a way to provide the 'save as' window with the right name? Maybe 
> any parameter in the ServletResponse class?
>
>
> Thanks,
> Iñaki.
>
>
> Mensaje citado por John Turner <tomcat-user@johnturner.com>:
>
>>
>> In my mind, the simplest solution is to put these files someplace where 
>> they are protected (like under WEB-INF).
>>
>> Then, the link on the page is simply a link to a JSP with a URL 
>> parameter of the file requested.  Your JSP can authenticate against the 
>> session, and if OK, read the file from the disk into a buffer and stream 
>> it out to the client.
>>
>> John
>>
>> On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <419404@cepsz.unizar.es> 
>> wrote:
>>
>> > Hi guys,
>> >
>> > I'm implementing some web services based on Java & JSP. I'm using 
>> Apache > for serving the static contents and Tomcat(3.2) for jsp's & 
>> servlets. > Everything on W2K.
>> >
>> > Some of the pages require authentication, and I manage this at program 
>> > level: if the user authentications against the database is positive, > 
>> session becomes valid and the pages are returned.
>> >
>> > My question starts here:
>> > this pages can contain links to files for displaying and/or 
>> downloading > (images, documents, zips...). Although the 'container' 
>> pages cannot be > returned without positive authentication, nothing 
>> prevents a non-> authenticated user to access the referenced files (the 
>> files referenced > in the links) just by knowing the path and entering 
>> it in the browser.
>> >
>> > Does anybody know a way of restricting the direct access to these > 
>> 'referenced' files unless the request comes from an authenticated > 
>> session?
>> >
>> > One possible solution I'm thinking is to create a special handler and 
>> add
>>
>> > such couple of lines to the file 'tomcat-apache.conf':
>> > AddType      root/zipfiles .zip
>> > AddHandler   newHandlerForZips .zip
>> >
>> > This looks quite complex for me and maybe there is another simpler > 
>> soluion I'm missing. Any idea? In case this is the solution, how complex 
>> > is to develop a handler?
>> >
>> >
>> > Any input appreciated.
>> >
>> >
>> > Cheers,
>> > Iñaki.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> >
>> >
>>
>>
>>
>> -- Using M2, Opera's revolutionary e-mail client: 
>> http://www.opera.com/m2/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message