Restricting access to a WEB-INF subfolder

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Tomcat - JSP/Servlet container

Struts - A MVC web framework

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

JSP - A mailing list about Java Server Pages specification and reference

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Subject: Servlet : Session invalidate
•	Oracle Connection Pooling in 3 2 2
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Subject: Running a Simple JMS Example
•	Tomcat and webapplication specific java library path
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	Value attribute of <html:checkbox
•	url string for connecting jboss to oracle
•	javax servlet ServletException: BeanUtils populate
•	5 0 18: Windows XP Pro vs Windows 2000
•	HTTP Status 404 The requested resource is not available

Restricting access to a WEB-INF subfolder

Restricting access to a WEB-INF subfolder

2005-01-27 - By Karr, David

Back

Reply: 1 2 3 4

You might consider the following strategy:

Build a servlet whose only purpose is to stream resources based off a
particular root directory. Have an init-param specify the root
directory that it uses. You could optionally specify whether that root
directory is context-relative or not (or determine it from the value).
The servlet will use the "pathInfo" from the request to determine the
relative path of the resource to stream. It will append that to its
root directory, open the file, stream the resource, and then close the
stream.

Store your protected files in a separate directory off of "WEB-INF" (say
"files", for example), and specify the init-param for the servlet to use
that root directory.

A request for a file would look like:

http://host:port/app/streamer/this/is/the/path/file.txt

This would stream "WEB-INF/files/this/is/the/path/file.txt" to the
browser.

In your web.xml, bind "/streamer/*" to your servlet.

Then, if you need to specify certain access restrictions, specify
"security-constraint" elements in your web.xml that specify paths like
"/streamer/protected/path/*", along with the roles that can access that
tree.

> -- --Original Message-- --
> From: A mailing list for Java(tm) 2 Platform, Enterprise
>
> My questions are:
>
> #1- If I put the files under the web directory, a user could
> write a URL to the file and see it. Is there any way for me
> to restrict access to this directory so that only my servlet
> can see the files. I.e. a user needs to request a file
> through my servlet.
>
> #2- If I put the files under WEB-INF, the files are hidden
> from users and they cannot create a URL to see them. However
> from what I have read it will also not be possible to forward
> a request to those files. Is there any way for me to have my
> servlet forward requests to file under WEB-INF while at the
> same time make it impossible for users to create a URL to those files?

==========================================================================To
unsubscribe, send email to listserv@(protected) and include in the body
of the message "signoff J2EE-INTEREST". For general help, send email to
listserv@(protected) and include in the body of the message "help".