Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

One solution to: How to hide files by extension under Tomcat 5?

Stephen Bacon

2004-04-20

Replies:

Parsons Technical Services wrote:

> Since you don't like that you might try this. Set security-constraints for
> all the file types you want to protect.
>
> Then do NOT set an auth-constraint for it. Thus no one will be able to
> access it from outside.

Thanks Doug, that's the ticket.

Here's what I came up with:

I created a "page not found" html doc.

I then modified web.xml and
 a) created a security constraint for the url pattern "*.jspsegment",
with auth-constraint of "blockaccess"
 b) created the role "block access" with no users
 c) set login-config to use the "FORM" auth-method, specifying the
custom "page not found" doc. for the login page - as it does not have
any actual functionality, and no one has the blockaccess role, files
with the extension "jspsegments" will never be served. Fun!

(You can do this without the "not found" form, but then you see a
tomcat-generated error rather than a more generic / app-specific
message. Also, set this as your custom error page and any nosey types
shouldn't be able to tell they've actually specified an existing page)

> PS Unless I am mistaken the file structure is controlled by the servlet
> spec. Thus Tomcat has no control over this feature.

You are correct - I was just being cranky.

thanks
 -Steve


Here the additions to web.xml:

--%<----- (snip)

 <error-page>
  <error-code>404</error-code>
  <location>/PageNotFound.html</location>
 </error-page>

 <security-constraint>
  <web-resource-collection>
    <web-resource-name>jspsegment direct access</web-resource-name>
    <url-pattern>*.jspsegment</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>blockaccess</role-name>
  </auth-constraint>
 </security-constraint>

 <security-role>
  <role-name>blockaccess</role-name>
 </security-role>

 <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>notfound</realm-name>
  <form-login-config>
     <form-login-page>/PageNotFound.html</form-login-page>
     <form-error-page>/PageNotFound.html</form-error-page>
   </form-login-config>
 </login-config>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.