You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ivan Ivanov <ra...@yahoo.com> on 2003/06/25 18:03:30 UTC
How to protect static HTML's
Dear Tomcat List,
I am facing the following problem. We have some static
html files in our Servlet/JSP project which reside in
a separate directory and we want to restrict the
access to them both from within the project and by
typing the URL directly in the browser. The rules of
accesing them are: if an user is not logged in our
app, he cannot access any of them and if he is logged
in, he can access only those files/folders to which he
has permmissions. Given the path (URL) of one of those
html files I can determine if the logged user has the
rights to see it.
So I wrote a servlet to check the rights and I added
the following entiries in web.xml:
<servlet>
<servlet-name>CoursesPermissionController</servlet-name>
<servlet-class>arcade.security.CoursesPermissionController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CoursesPermissionController</servlet-name>
<url-pattern>/jsp/ccim/Courses/*</url-pattern>
</servlet-mapping>
where /jsp/ccim/Courses/* is the directory where the
html files reside and CoursesPermissionController is
the servlet which desides whether the user has rights.
In its doGet I determine according the URL and the
logged user whether he can see it:
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
String requestURI =
request.getRequestURI();
String contextPath =
request.getContextPath();
HttpSession currentSession =
getSession(request);
long loggedUserID =
WebBean.getLoggedUserID(currentSession);
if (loggedUserID == -1) {
//User is not logged
forward("/jsp/ccim/accessdenied.jsp",
request, response);
}
else {
try {
//Pseudocode to save space
boolean isPermitted = checkAccording(requestURI,
loggedUserID );
if (isPermitted) {
int l = contextPath.length();
String forwardPath =
requestURI.substring(l);
//The user has rights, so forward to the original
request URL
forward(forwardPath, request,
response);
} else {
forward("/jsp/ccim/norights.jsp",
request, response);
}
} catch (Exception e) {
e.printStackTrace();
forward("/jsp/ErrorPage.jsp", request,
response);
}
}
}
and here is forward method:
private void forward(String path,
HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
RequestDispatcher dispatcher =
request.getRequestDispatcher(path);
dispatcher.include(request, response);
}
The problem is that when the user has the rights i am
forwarding it to the same URL, then the servlet is
invoked again, the user is checked again, forwarded
agian in an endless recursion (or till
StackOverflowException).
My questions are:
1) can I implement the restrictions in a similar way
by invoking a servlet when a "protected" URL is
requested.
2) are there clearer ways to do it. I read in
Servlet2.3 Specifiaction for filters and
authenticating filters, but I think that I will end
with endless recursing also. Moreover, i couldn't find
a suitable filter example.
Up to know I workarounded the problem with this
method:
private void dump(String path, HttpServletRequest
request, HttpServletResponse response)
throws ServletException, IOException {
ServletContext context = getServletContext();
String realPath = context.getRealPath(path);
BufferedReader br = new BufferedReader(new
FileReader(realPath));
PrintWriter out = response.getWriter();
String line = "";
while ((line = br.readLine()) != null) {
out.println(line);
}
}
instead this lines
//The user has rights, so forward to the original
request URL
forward(forwardPath, request,
response);
I use
//The user has rights, so forward to the original
request URL
dump(forwardPath, request, response);
I also thought to transform the htmls in jsp's and
check for rights at the top of each jsp, but the
requirements say they must be htmls.
Thank you for your efforts. I will appreciate any
idea.
Greetings Ivan Ivanov
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How to protect static HTML's
Posted by Justin Ruthenbeck <ju...@nextengine.com>.
Ivan --
You're really close to getting it ... two options:
(1) Keep your servlet the way it is. Add a request attribute
(req.setAttribute()) during your security check if the security check
finishes successfully. Check for this attribute before doing the security
check again. Think of this as your break case for a recursive method call.
(2) Use filters. All filters set for a particular request are run *once*
on an incoming request. If you do a RequestDispatcher.forward(), the
filters will not be run again -- and you won't have recursion.
If you're going to continue developing functionality like this, invest the
time and go with #2. If not, I'd take #1.
justin
At 09:03 AM 6/25/2003, you wrote:
>Dear Tomcat List,
>I am facing the following problem. We have some static
>html files in our Servlet/JSP project which reside in
>a separate directory and we want to restrict the
>access to them both from within the project and by
>typing the URL directly in the browser. The rules of
>accesing them are: if an user is not logged in our
>app, he cannot access any of them and if he is logged
>in, he can access only those files/folders to which he
>has permmissions. Given the path (URL) of one of those
>html files I can determine if the logged user has the
>rights to see it.
>So I wrote a servlet to check the rights and I added
>the following entiries in web.xml:
>
> <servlet>
>
><servlet-name>CoursesPermissionController</servlet-name>
>
><servlet-class>arcade.security.CoursesPermissionController</servlet-class>
> </servlet>
> <servlet-mapping>
>
><servlet-name>CoursesPermissionController</servlet-name>
> <url-pattern>/jsp/ccim/Courses/*</url-pattern>
> </servlet-mapping>
>
>where /jsp/ccim/Courses/* is the directory where the
>html files reside and CoursesPermissionController is
>the servlet which desides whether the user has rights.
>In its doGet I determine according the URL and the
>logged user whether he can see it:
>
> public void doGet(HttpServletRequest request,
>HttpServletResponse response)
> throws IOException, ServletException {
> String requestURI =
>request.getRequestURI();
> String contextPath =
>request.getContextPath();
> HttpSession currentSession =
>getSession(request);
> long loggedUserID =
>WebBean.getLoggedUserID(currentSession);
> if (loggedUserID == -1) {
>//User is not logged
> forward("/jsp/ccim/accessdenied.jsp",
>request, response);
> }
> else {
> try {
> //Pseudocode to save space
> boolean isPermitted = checkAccording(requestURI,
>loggedUserID );
> if (isPermitted) {
> int l = contextPath.length();
> String forwardPath =
>requestURI.substring(l);
>//The user has rights, so forward to the original
>request URL
> forward(forwardPath, request,
>response);
> } else {
> forward("/jsp/ccim/norights.jsp",
>request, response);
> }
> } catch (Exception e) {
> e.printStackTrace();
> forward("/jsp/ErrorPage.jsp", request,
>response);
> }
> }
> }
>
>and here is forward method:
> private void forward(String path,
>HttpServletRequest request, HttpServletResponse
>response)
> throws ServletException, IOException {
> RequestDispatcher dispatcher =
>request.getRequestDispatcher(path);
> dispatcher.include(request, response);
> }
>The problem is that when the user has the rights i am
>forwarding it to the same URL, then the servlet is
>invoked again, the user is checked again, forwarded
>agian in an endless recursion (or till
>StackOverflowException).
>
>My questions are:
>1) can I implement the restrictions in a similar way
>by invoking a servlet when a "protected" URL is
>requested.
>2) are there clearer ways to do it. I read in
>Servlet2.3 Specifiaction for filters and
>authenticating filters, but I think that I will end
>with endless recursing also. Moreover, i couldn't find
>a suitable filter example.
>
>Up to know I workarounded the problem with this
>method:
> private void dump(String path, HttpServletRequest
>request, HttpServletResponse response)
> throws ServletException, IOException {
> ServletContext context = getServletContext();
> String realPath = context.getRealPath(path);
> BufferedReader br = new BufferedReader(new
>FileReader(realPath));
> PrintWriter out = response.getWriter();
> String line = "";
> while ((line = br.readLine()) != null) {
> out.println(line);
> }
> }
>instead this lines
>//The user has rights, so forward to the original
>request URL
> forward(forwardPath, request,
>response);
>I use
>//The user has rights, so forward to the original
>request URL
> dump(forwardPath, request, response);
>
>I also thought to transform the htmls in jsp's and
>check for rights at the top of each jsp, but the
>requirements say they must be htmls.
>
>Thank you for your efforts. I will appreciate any
>idea.
>
>Greetings Ivan Ivanov
>
>__________________________________
>Do you Yahoo!?
>SBC Yahoo! DSL - Now only $29.95 per month!
>http://sbc.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
____________________________________
Justin Ruthenbeck
Software Engineer, NextEngine Inc.
justinr - AT - nextengine DOT com
Confidential
See http://www.nextengine.com/confidentiality.php
____________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org