tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Priest <Robert.Pri...@bentley.com>
Subject RE: Session\Security Checking
Date Mon, 28 Jul 2003 16:25:23 GMT
thanks, rick. I appreciate the info. But I am not sure that we want to use
realm for our solution. But I certainly think it is feasible. 

I think we are more in the market for some sort of simple session guard.
Please allow me to explain a little further. Then I would like to hear your
opinion about the suggested approach versus adding a REALM:

the URL for the download will contain a session id for the user. So if you
will allow me to modify my example:

Say user A logs in and has a session id of "1" and wants to download
abc.jar. He will be redirected to the url:
http://localhost/myservlet/downloaddir/1/abc.jar

now I would like to put in place a guard servlet. So in myservlet's web.xml
I will add 

<servlet-mapping>
	<servlet-name>com.myproj.web.GUARD</servlet-name>
	<url-pattern>/downloaddir/*</url-pattern>
</servlet-mapping>

The intention is for the "Guard" servlet to:

1. Inspect the url for sessionid ("1" in this case").
2. Get it and compare it to the current session id (session.getID()).
3. if the two match, then start an http download.
4. If not then, throw up an "Access Denied" error page.

That is pretty much all we need to do. I also don't want to add basic\Form
authentication at this point for those directories. We simply want to match
whether the session id in the url is the same as the one the current user is
using.

That way, if another user, who will have a different session number (3 or
what have you) tries to paste in:  

 http://localhost/myservlet/downloaddir/1/abc.jar

he\she will get an access denied.

Is that more understandable?

We are trying to prevent cutting and pasting of urls.

We are mainly concerned with just providing\denying access to this directory
and not security to an entire web application where I think the REALM would
be more applicable (i am not sure whether that is right or wrong...).


-----Original Message-----
From: Rick Roberts [mailto:techinfo@ait-web.com]
Sent: Monday, July 28, 2003 12:09 PM
To: Tomcat Users List
Subject: Re: Session\Security Checking


Found a link for ya:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html

Rick

Robert Priest wrote:
> How can I check for a Valid session id before allowing access to a file?
> 
> For example:
> 
> - I have a directory containing files for download:
> http://localhost/myservlet/downloaddir/
> - but before you download a file, say abc.jar (by using
> "http://localhost/myservlet/downloaddir/abc.jar"), I want to make sure
that
> you have a valid session id. If your
> session id is invalid, you get an access denied page. if not, a http
> download is started.
> 
> so I guess what I want is to intercept any request to that "downloaddir"
> and perform session\security checking (by another servlet or jsp page)
> before allowing access... 
> 
> 
> Now, is adding additional servlet\jsp the best way to go about this, or is
> there a better way through Tomcat configuration?
> 
> 
> Thanks.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

-- 
*******************************************
* Rick Roberts                            *
* Advanced Information Technologies, Inc. *
*******************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message