tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Roberts <>
Subject Re: Session\Security Checking
Date Mon, 28 Jul 2003 16:58:23 GMT

Robert Priest wrote:
> the URL for the download will contain a session id for the user. So if you
> will allow me to modify my example:
> Say user A logs in and has a session id of "1" and wants to download
> abc.jar. He will be redirected to the url:
> http://localhost/myservlet/downloaddir/1/abc.jar
> now I would like to put in place a guard servlet. So in myservlet's web.xml
> I will add 
> <servlet-mapping>
> 	<servlet-name>com.myproj.web.GUARD</servlet-name>
> 	<url-pattern>/downloaddir/*</url-pattern>
> </servlet-mapping>
> The intention is for the "Guard" servlet to:
> 1. Inspect the url for sessionid ("1" in this case").
> 2. Get it and compare it to the current session id (session.getID()).
> 3. if the two match, then start an http download.
> 4. If not then, throw up an "Access Denied" error page.

I don't think there is anyway to implement this concept.
Because, you can't know the value of session.getID() in advance.
Therefore you can't set up the downloaddir as described.

I suppose you could figure out a way to do what you want without using container 
managed authentication, but I can't think of a good reason to not use it.

* Rick Roberts                            *
* Advanced Information Technologies, Inc. *

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message