tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Collins, Jim" <jim.coll...@uk.nomura.com>
Subject RE: How to protect static HTML's
Date Wed, 25 Jun 2003 16:10:20 GMT
Use struts and move all of your JSP and html pages to WEB-INF. Any reference
to a page change to a struts mapping then in the action class you can check
if the user has rights and if they do forward to the page.

Regards

Jim.

-----Original Message-----
From: Ivan Ivanov [mailto:rambius2000@yahoo.com]
Sent: 25 June 2003 17:04
To: tomcat-user@jakarta.apache.org
Subject: How to protect static HTML's


Dear Tomcat List,
I am facing the following problem. We have some static
html files in our Servlet/JSP project which reside in
a separate directory and we want to restrict the
access to them both from within the project and by
typing the URL directly in the browser. The rules of
accesing them are: if an user is not logged in our
app, he cannot access any of them and if he is logged
in, he can access only those files/folders to which he
has permmissions. Given the path (URL) of one of those
html files I can determine if the logged user has the
rights to see it.
So I wrote a servlet to check the rights and I added
the following entiries in web.xml:
 
    <servlet>
       
<servlet-name>CoursesPermissionController</servlet-name>
       
<servlet-class>arcade.security.CoursesPermissionController</servlet-class>
    </servlet>
    <servlet-mapping>
       
<servlet-name>CoursesPermissionController</servlet-name>
        <url-pattern>/jsp/ccim/Courses/*</url-pattern>
    </servlet-mapping>
 
where /jsp/ccim/Courses/* is the directory where the
html files reside and CoursesPermissionController is
the servlet which desides whether the user has rights.
In its doGet I determine according the URL and the
logged user whether he can see it:
 
 public void doGet(HttpServletRequest request,
HttpServletResponse response)
      throws IOException, ServletException {
            String requestURI =
request.getRequestURI();
            String contextPath =
request.getContextPath();
          HttpSession currentSession =
getSession(request);
        long loggedUserID =
WebBean.getLoggedUserID(currentSession);
        if (loggedUserID == -1) {
//User is not logged
         forward("/jsp/ccim/accessdenied.jsp",
request, response);
        }
        else {
            try {
            //Pseudocode to save space
   boolean isPermitted = checkAccording(requestURI,
loggedUserID );
                if (isPermitted) {
                    int l = contextPath.length();
                    String forwardPath =
requestURI.substring(l);
//The user has rights, so forward to the original
request URL
                 forward(forwardPath, request,
response);
                } else {
                 forward("/jsp/ccim/norights.jsp",
request, response);
                }
            } catch (Exception e) {
             e.printStackTrace();
                forward("/jsp/ErrorPage.jsp", request,
response);
            }
        }
    }
 
and here is forward method:
    private void forward(String path,
HttpServletRequest request, HttpServletResponse
response)
      throws ServletException, IOException {
        RequestDispatcher dispatcher =
request.getRequestDispatcher(path);
        dispatcher.include(request, response);
    }
The problem is that when the user has the rights i am
forwarding it to the same URL, then the servlet is
invoked again, the user is checked again, forwarded
agian in an endless recursion (or till
StackOverflowException).
 
My questions are:
1) can I implement the restrictions in a similar way
by invoking a servlet when a "protected" URL is
requested.
2) are there clearer ways to do it. I read in
Servlet2.3 Specifiaction for filters and
authenticating filters, but I think that I will end
with endless recursing also. Moreover, i couldn't find
a suitable filter example.
 
Up to know I workarounded the problem with this
method:
    private void dump(String path, HttpServletRequest
request, HttpServletResponse response)
      throws ServletException, IOException {
     ServletContext context = getServletContext();
     String realPath = context.getRealPath(path);
     BufferedReader br = new BufferedReader(new
FileReader(realPath));
     PrintWriter out = response.getWriter();
     String line = "";
     while ((line = br.readLine()) != null) {
         out.println(line);
     }
    }
instead this lines
//The user has rights, so forward to the original
request URL
                 forward(forwardPath, request,
response);
I use
//The user has rights, so forward to the original
request URL
                 dump(forwardPath, request, response);
 
I also thought to transform the htmls in jsp's and
check for rights at the top of each jsp, but the
requirements say they must be htmls.
 
Thank you for your efforts. I will appreciate any
idea.
 
Greetings Ivan Ivanov

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


PLEASE READ: The information contained in this email is confidential
and intended for the named recipient(s) only. If you are not an intended
recipient of this email you must not copy, distribute or take any 
further action in reliance on it and you should delete it and notify the
sender immediately. Email is not a secure method of communication and 
Nomura International plc cannot accept responsibility for the accuracy
or completeness of this message or any attachment(s). Please examine this
email for virus infection, for which Nomura International plc accepts
no responsibility. If verification of this email is sought then please
request a hard copy. Unless otherwise stated any views or opinions
presented are solely those of the author and do not represent those of
Nomura International plc. This email is intended for informational
purposes only and is not a solicitation or offer to buy or sell
securities or related financial instruments. Nomura International plc is
regulated by the Financial Services Authority and is a member of the
London Stock Exchange.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message