tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <gb_...@gb-im.com>
Subject RE: Session\Security Checking
Date Mon, 28 Jul 2003 17:18:52 GMT
Nope, Filters are new to Servlets 2.3

http://java.sun.com/products/servlet/Filters.html

Also, download the Servlet spec, it's full of great info, and not just
about Filters.
http://jcp.org/aboutJava/communityprocess/first/jsr053/index.html


> -----Original Message-----
> From: Robert Priest [mailto:Robert.Priest@bentley.com] 
> Sent: Monday, July 28, 2003 12:13 PM
> To: 'Tomcat Users List'
> Subject: RE: Session\Security Checking
> 
> 
> Ok. thanks. 
> 
> Do you have any links to the proper documentation for doing this?
> 
> When you say filter, you are not speaking of a "Realm" are you?
> 
> Could you clarify for me?
> 
> -----Original Message-----
> From: Mike Curwen [mailto:gb_dev@gb-im.com]
> Sent: Monday, July 28, 2003 12:55 PM
> To: 'Tomcat Users List'
> Subject: RE: Session\Security Checking
> 
> 
> If you've already implemented your own access control, then 
> certainly it might be more feasible to extend that to this 
> set of pages.  A filter might be the best, if you can use a 
> 2.3 compliant container.
>  
> The filter would simply check for the presence of a session.  
> If there isn't one, sendRedirect() to a login page.  Else, 
> the filter will just 'pass through' the request. The filter 
> can  be mapped to any requests for  /downloaddir/* 
> 
> > -----Original Message-----
> > From: Robert Priest [mailto:Robert.Priest@bentley.com]
> > Sent: Monday, July 28, 2003 11:46 AM
> > To: 'Tomcat Users List'
> > Subject: RE: Session\Security Checking
> > 
> > 
> > But I still need to change how my user are authenticated,
> > correct. I now need to handle that authentication through the 
> > realm instead of a Form on our page now, right?
> > 
> > -----Original Message-----
> > From: Mike Curwen [mailto:gb_dev@gb-im.com]
> > Sent: Monday, July 28, 2003 12:33 PM
> > To: 'Tomcat Users List'
> > Subject: RE: Session\Security Checking
> > 
> > 
> > I think using a realm and simply setting up /downloaddir/* as
> > a 'protected resource' is the way to go.  The functionality 
> > you're looking for has already been implemented by 
> > Container-Managed Auth.
> >  
> > Also.. if you use a container AUTH scheme, then you don't
> > need the Session ID in the URL.  The mere presence of a 
> > session will prove that your user is "logged in and authenticated".
> > 
> > 
> > > -----Original Message-----
> > > From: Robert Priest [mailto:Robert.Priest@bentley.com]
> > > Sent: Monday, July 28, 2003 11:25 AM
> > > To: 'Tomcat Users List'
> > > Subject: RE: Session\Security Checking
> > > 
> > > 
> > > thanks, rick. I appreciate the info. But I am not sure 
> that we want 
> > > to use realm for our solution. But I certainly think it 
> is feasible.
> > > 
> > > I think we are more in the market for some sort of simple session 
> > > guard. Please allow me to explain a little further. Then I would 
> > > like to hear your opinion about the suggested approach 
> versus adding 
> > > a REALM:
> > > 
> > > the URL for the download will contain a session id for 
> the user. So 
> > > if you will allow me to modify my example:
> > > 
> > > Say user A logs in and has a session id of "1" and wants 
> to download 
> > > abc.jar. He will be redirected to the url: 
> > > http://localhost/myservlet/downloaddir/1/abc.jar
> > > 
> > > now I would like to put in place a guard servlet. So in 
> myservlet's 
> > > web.xml I will add
> > > 
> > > <servlet-mapping>
> > > 	<servlet-name>com.myproj.web.GUARD</servlet-name>
> > > 	<url-pattern>/downloaddir/*</url-pattern>
> > > </servlet-mapping>
> > > 
> > > The intention is for the "Guard" servlet to:
> > > 
> > > 1. Inspect the url for sessionid ("1" in this case").
> > > 2. Get it and compare it to the current session id 
> > > (session.getID()). 3. if the two match, then start an 
> http download. 
> > > 4. If not then, throw up an "Access Denied" error page.
> > > 
> > > That is pretty much all we need to do. I also don't want to add 
> > > basic\Form authentication at this point for those directories. We 
> > > simply want to match whether the session id in the url is 
> the same 
> > > as the one the current user is using.
> > > 
> > > That way, if another user, who will have a different 
> session number 
> > > (3 or what have you) tries to paste in:
> > > 
> > >  http://localhost/myservlet/downloaddir/1/abc.jar
> > > 
> > > he\she will get an access denied.
> > > 
> > > Is that more understandable?
> > > 
> > > We are trying to prevent cutting and pasting of urls.
> > > 
> > > We are mainly concerned with just providing\denying 
> access to this 
> > > directory and not security to an entire web application where I 
> > > think the REALM would be more applicable (i am not sure 
> whether that 
> > > is right or wrong...).
> > > 
> > > 
> > > -----Original Message-----
> > > From: Rick Roberts [mailto:techinfo@ait-web.com]
> > > Sent: Monday, July 28, 2003 12:09 PM
> > > To: Tomcat Users List
> > > Subject: Re: Session\Security Checking
> > > 
> > > 
> > > Found a link for ya: 
> > > http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> > > 
> > > Rick
> > > 
> > > Robert Priest wrote:
> > > > How can I check for a Valid session id before allowing 
> access to a 
> > > > file?
> > > > 
> > > > For example:
> > > > 
> > > > - I have a directory containing files for download: 
> > > > http://localhost/myservlet/downloaddir/
> > > > - but before you download a file, say abc.jar (by using
> > > > "http://localhost/myservlet/downloaddir/abc.jar"), I want 
> > > to make sure
> > > that
> > > > you have a valid session id. If your
> > > > session id is invalid, you get an access denied page. if
> > > not, a http
> > > > download is started.
> > > > 
> > > > so I guess what I want is to intercept any request to that 
> > > > "downloaddir" and perform session\security checking (by another 
> > > > servlet or jsp page) before allowing access...
> > > > 
> > > > 
> > > > Now, is adding additional servlet\jsp the best way to go
> > > about this,
> > > > or is there a better way through Tomcat configuration?
> > > > 
> > > > 
> > > > Thanks.
> > > > 
> > > > 
> > > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: 
> tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> > > > 
> > > 
> > > --
> > > *******************************************
> > > * Rick Roberts                            *
> > > * Advanced Information Technologies, Inc. *
> > > *******************************************
> > > 
> > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: 
> tomcat-user-help@jakarta.apache.org
> > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: 
> tomcat-user-help@jakarta.apache.org
> > > 
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message