You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Luis Eric López Fernández <lu...@gmail.com> on 2011/02/16 16:17:53 UTC
Restrict direct access to static content
Hello there,
I am new with Struts2 and I need to restrict direct access to my app's
static content. Right now users can access to images, css, js, and pdfs by
directly typing in the resource URL, something like:
http://server:port/AppName/images/image_name.jpg
Will take them to the place where the image is stored.
As far as I can understand restricting that access is not something that can
be done in the struts.xml file because of the following statement:
"Requests for static resources, such as images and CSS files, bypass the
controller and are handled directly by the container."
(Struts2DesignAndProgramming, page 21)
So my first attempt to fix this is by adding the following lines to the
web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>RestrictedDirectories</web-resource-name>
<url-pattern>/AppName/images/*</url-pattern>
</web-resource-collection>
</security-constraint>
(*) My app is running on a Websphere app server.
But it does not seem to work, after performing the changes and redeploying
the app I can still go to: http://server:port/AppName/images/image_name.jpg
and the image is displayed.
Do you guys have any idea on how to fix this?
I appreciate your help!
Eric
Re: Restrict direct access to static content
Posted by Miguel <mi...@gmail.com>.
You can always make a request aware struts action that returns a stream (not
a jsp) and inside the action You can put everything You want to check the
user.
Open the file with a fileinputstream from an internal resource directory.
Enviado desde mi Nexus S
Miguel Ruiz Velasco Sobrino
On Feb 16, 2011 11:55 AM, "Brian Thompson" <el...@gmail.com> wrote:
> On Wed, Feb 16, 2011 at 11:34 AM, Dave Newton <da...@gmail.com>
wrote:
>
>> 2011/2/16 Luis Eric López Fernández wrote:
>> > I am thinking to do something that will completely destroy the purpose
of
>> > struts hehe.. I will add a servlet to handle all the requests different
>> than
>> > .action and there I will redirect to an error page. =S
>>
>> How will you request them from within the JSP?
>>
>>
>
> About the only way I see to accomplish this requirement is to check on
> HTTP_REFERER somehow ... but that's hardly reliable.
>
> Really, this seems a lot like a requirement that leads to ... mean people
> writing javascript to replace the context menu with "Copyright
Crazy-People"
> alerts.
>
> -Brian
Re: Restrict direct access to static content
Posted by Brian Thompson <el...@gmail.com>.
On Wed, Feb 16, 2011 at 11:34 AM, Dave Newton <da...@gmail.com> wrote:
> 2011/2/16 Luis Eric López Fernández wrote:
> > I am thinking to do something that will completely destroy the purpose of
> > struts hehe.. I will add a servlet to handle all the requests different
> than
> > .action and there I will redirect to an error page. =S
>
> How will you request them from within the JSP?
>
>
About the only way I see to accomplish this requirement is to check on
HTTP_REFERER somehow ... but that's hardly reliable.
Really, this seems a lot like a requirement that leads to ... mean people
writing javascript to replace the context menu with "Copyright Crazy-People"
alerts.
-Brian
Re: Restrict direct access to static content
Posted by Dave Newton <da...@gmail.com>.
2011/2/16 Luis Eric López Fernández wrote:
> I am thinking to do something that will completely destroy the purpose of
> struts hehe.. I will add a servlet to handle all the requests different than
> .action and there I will redirect to an error page. =S
How will you request them from within the JSP?
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Restrict direct access to static content
Posted by Luis Eric López Fernández <lu...@gmail.com>.
I'm pretty much trying to do the following:
1.- user tries to access a static resource directly
2.- app receives the request
3.- application directs the user to a default location, but not the
requested resource
I am thinking to do something that will completely destroy the purpose of
struts hehe.. I will add a servlet to handle all the requests different than
.action and there I will redirect to an error page. =S
That's the only solution I can think of =(
On Wed, Feb 16, 2011 at 11:24 AM, Vitor De Mario <vi...@gmail.com>wrote:
> Unfortunately I don't know a solution to the problem, but what he's trying
> to do doesn't look that strange to me. I believe Luis'd like to hide his
> internal folder structure, probably. Struts 2 URL's are made up, don't
> correspond to any physical folders, but .js, .css and the like would
> probably have to be referenced directly by the internal folder structure of
> the web app. I believe he's trying to hide this, ain't that right?
>
> On Wed, Feb 16, 2011 at 1:58 PM, Alex Lopez <al...@flordeutopia.pt>
> wrote:
>
> > Correct me if I'm wrong, I think you could achieve this by doing:
> > in web.xml:
> >
> > <filter>
> > <filter-name>struts2</filter-name>
> >
> >
> >
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
> > </filter>
> > <filter-mapping>
> > <filter-name>struts2</filter-name>
> > <url-pattern>/*</url-pattern>
> > </filter-mapping>
> >
> > and in struts.xml:
> >
> > <constant name="struts.action.extension" value=""/>
> > <constant name="struts.action.excludePattern" value="/js/.*, /css/.*,
> > /img/.*"/>
> >
> > so struts2 catches all url requests as actions, unless specified in the
> > excludePattern list. In your case, I think you would want a blank
> > excludePattern (although I don't see why someone would want to restrict
> > access to images etc... intended to be loaded as part of the page).
> >
> >
> > Em 16-02-2011 15:17, Luis Eric López Fernández escreveu:
> >
> > Hello there,
> >>
> >> I am new with Struts2 and I need to restrict direct access to my app's
> >> static content. Right now users can access to images, css, js, and pdfs
> by
> >> directly typing in the resource URL, something like:
> >>
> >> http://server:port/AppName/images/image_name.jpg
> >>
> >> Will take them to the place where the image is stored.
> >>
> >> As far as I can understand restricting that access is not something that
> >> can
> >> be done in the struts.xml file because of the following statement:
> >>
> >> "Requests for static resources, such as images and CSS files, bypass the
> >> controller and are handled directly by the container."
> >> (Struts2DesignAndProgramming, page 21)
> >>
> >> So my first attempt to fix this is by adding the following lines to the
> >> web.xml file:
> >>
> >> <security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>RestrictedDirectories</web-resource-name>
> >>
> >> <url-pattern>/AppName/images/*</url-pattern>
> >>
> >> </web-resource-collection>
> >> </security-constraint>
> >>
> >> (*) My app is running on a Websphere app server.
> >>
> >> But it does not seem to work, after performing the changes and
> redeploying
> >> the app I can still go to: http://server:port
> >> /AppName/images/image_name.jpg
> >> and the image is displayed.
> >>
> >> Do you guys have any idea on how to fix this?
> >>
> >> I appreciate your help!
> >> Eric
> >>
> >>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
Re: Restrict direct access to static content
Posted by Dave Newton <da...@gmail.com>.
Access to the resources isn't the issue, though.
Dave
On Wed, Feb 16, 2011 at 12:28 PM, Chris Pratt <th...@gmail.com> wrote:
> Basically you need to implement an Authentication/Authorization system in
> your app (you can start with Spring Security if you're not comfortable doing
> a scratch implementation). Then use that system to protect all your assets.
> (*Chris*)
>
> On Wed, Feb 16, 2011 at 9:24 AM, Vitor De Mario <vi...@gmail.com>wrote:
>
>> Unfortunately I don't know a solution to the problem, but what he's trying
>> to do doesn't look that strange to me. I believe Luis'd like to hide his
>> internal folder structure, probably. Struts 2 URL's are made up, don't
>> correspond to any physical folders, but .js, .css and the like would
>> probably have to be referenced directly by the internal folder structure of
>> the web app. I believe he's trying to hide this, ain't that right?
>>
>> On Wed, Feb 16, 2011 at 1:58 PM, Alex Lopez <al...@flordeutopia.pt>
>> wrote:
>>
>> > Correct me if I'm wrong, I think you could achieve this by doing:
>> > in web.xml:
>> >
>> > <filter>
>> > <filter-name>struts2</filter-name>
>> >
>> >
>> >
>> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
>> > </filter>
>> > <filter-mapping>
>> > <filter-name>struts2</filter-name>
>> > <url-pattern>/*</url-pattern>
>> > </filter-mapping>
>> >
>> > and in struts.xml:
>> >
>> > <constant name="struts.action.extension" value=""/>
>> > <constant name="struts.action.excludePattern" value="/js/.*, /css/.*,
>> > /img/.*"/>
>> >
>> > so struts2 catches all url requests as actions, unless specified in the
>> > excludePattern list. In your case, I think you would want a blank
>> > excludePattern (although I don't see why someone would want to restrict
>> > access to images etc... intended to be loaded as part of the page).
>> >
>> >
>> > Em 16-02-2011 15:17, Luis Eric López Fernández escreveu:
>> >
>> > Hello there,
>> >>
>> >> I am new with Struts2 and I need to restrict direct access to my app's
>> >> static content. Right now users can access to images, css, js, and pdfs
>> by
>> >> directly typing in the resource URL, something like:
>> >>
>> >> http://server:port/AppName/images/image_name.jpg
>> >>
>> >> Will take them to the place where the image is stored.
>> >>
>> >> As far as I can understand restricting that access is not something that
>> >> can
>> >> be done in the struts.xml file because of the following statement:
>> >>
>> >> "Requests for static resources, such as images and CSS files, bypass the
>> >> controller and are handled directly by the container."
>> >> (Struts2DesignAndProgramming, page 21)
>> >>
>> >> So my first attempt to fix this is by adding the following lines to the
>> >> web.xml file:
>> >>
>> >> <security-constraint>
>> >> <web-resource-collection>
>> >> <web-resource-name>RestrictedDirectories</web-resource-name>
>> >>
>> >> <url-pattern>/AppName/images/*</url-pattern>
>> >>
>> >> </web-resource-collection>
>> >> </security-constraint>
>> >>
>> >> (*) My app is running on a Websphere app server.
>> >>
>> >> But it does not seem to work, after performing the changes and
>> redeploying
>> >> the app I can still go to: http://server:port
>> >> /AppName/images/image_name.jpg
>> >> and the image is displayed.
>> >>
>> >> Do you guys have any idea on how to fix this?
>> >>
>> >> I appreciate your help!
>> >> Eric
>> >>
>> >>
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: user-help@struts.apache.org
>> >
>> >
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Restrict direct access to static content
Posted by Chris Pratt <th...@gmail.com>.
Basically you need to implement an Authentication/Authorization system in
your app (you can start with Spring Security if you're not comfortable doing
a scratch implementation). Then use that system to protect all your assets.
(*Chris*)
On Wed, Feb 16, 2011 at 9:24 AM, Vitor De Mario <vi...@gmail.com>wrote:
> Unfortunately I don't know a solution to the problem, but what he's trying
> to do doesn't look that strange to me. I believe Luis'd like to hide his
> internal folder structure, probably. Struts 2 URL's are made up, don't
> correspond to any physical folders, but .js, .css and the like would
> probably have to be referenced directly by the internal folder structure of
> the web app. I believe he's trying to hide this, ain't that right?
>
> On Wed, Feb 16, 2011 at 1:58 PM, Alex Lopez <al...@flordeutopia.pt>
> wrote:
>
> > Correct me if I'm wrong, I think you could achieve this by doing:
> > in web.xml:
> >
> > <filter>
> > <filter-name>struts2</filter-name>
> >
> >
> >
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
> > </filter>
> > <filter-mapping>
> > <filter-name>struts2</filter-name>
> > <url-pattern>/*</url-pattern>
> > </filter-mapping>
> >
> > and in struts.xml:
> >
> > <constant name="struts.action.extension" value=""/>
> > <constant name="struts.action.excludePattern" value="/js/.*, /css/.*,
> > /img/.*"/>
> >
> > so struts2 catches all url requests as actions, unless specified in the
> > excludePattern list. In your case, I think you would want a blank
> > excludePattern (although I don't see why someone would want to restrict
> > access to images etc... intended to be loaded as part of the page).
> >
> >
> > Em 16-02-2011 15:17, Luis Eric López Fernández escreveu:
> >
> > Hello there,
> >>
> >> I am new with Struts2 and I need to restrict direct access to my app's
> >> static content. Right now users can access to images, css, js, and pdfs
> by
> >> directly typing in the resource URL, something like:
> >>
> >> http://server:port/AppName/images/image_name.jpg
> >>
> >> Will take them to the place where the image is stored.
> >>
> >> As far as I can understand restricting that access is not something that
> >> can
> >> be done in the struts.xml file because of the following statement:
> >>
> >> "Requests for static resources, such as images and CSS files, bypass the
> >> controller and are handled directly by the container."
> >> (Struts2DesignAndProgramming, page 21)
> >>
> >> So my first attempt to fix this is by adding the following lines to the
> >> web.xml file:
> >>
> >> <security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>RestrictedDirectories</web-resource-name>
> >>
> >> <url-pattern>/AppName/images/*</url-pattern>
> >>
> >> </web-resource-collection>
> >> </security-constraint>
> >>
> >> (*) My app is running on a Websphere app server.
> >>
> >> But it does not seem to work, after performing the changes and
> redeploying
> >> the app I can still go to: http://server:port
> >> /AppName/images/image_name.jpg
> >> and the image is displayed.
> >>
> >> Do you guys have any idea on how to fix this?
> >>
> >> I appreciate your help!
> >> Eric
> >>
> >>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
Re: Restrict direct access to static content
Posted by Vitor De Mario <vi...@gmail.com>.
Unfortunately I don't know a solution to the problem, but what he's trying
to do doesn't look that strange to me. I believe Luis'd like to hide his
internal folder structure, probably. Struts 2 URL's are made up, don't
correspond to any physical folders, but .js, .css and the like would
probably have to be referenced directly by the internal folder structure of
the web app. I believe he's trying to hide this, ain't that right?
On Wed, Feb 16, 2011 at 1:58 PM, Alex Lopez <al...@flordeutopia.pt> wrote:
> Correct me if I'm wrong, I think you could achieve this by doing:
> in web.xml:
>
> <filter>
> <filter-name>struts2</filter-name>
>
>
> <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>struts2</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> and in struts.xml:
>
> <constant name="struts.action.extension" value=""/>
> <constant name="struts.action.excludePattern" value="/js/.*, /css/.*,
> /img/.*"/>
>
> so struts2 catches all url requests as actions, unless specified in the
> excludePattern list. In your case, I think you would want a blank
> excludePattern (although I don't see why someone would want to restrict
> access to images etc... intended to be loaded as part of the page).
>
>
> Em 16-02-2011 15:17, Luis Eric López Fernández escreveu:
>
> Hello there,
>>
>> I am new with Struts2 and I need to restrict direct access to my app's
>> static content. Right now users can access to images, css, js, and pdfs by
>> directly typing in the resource URL, something like:
>>
>> http://server:port/AppName/images/image_name.jpg
>>
>> Will take them to the place where the image is stored.
>>
>> As far as I can understand restricting that access is not something that
>> can
>> be done in the struts.xml file because of the following statement:
>>
>> "Requests for static resources, such as images and CSS files, bypass the
>> controller and are handled directly by the container."
>> (Struts2DesignAndProgramming, page 21)
>>
>> So my first attempt to fix this is by adding the following lines to the
>> web.xml file:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>RestrictedDirectories</web-resource-name>
>>
>> <url-pattern>/AppName/images/*</url-pattern>
>>
>> </web-resource-collection>
>> </security-constraint>
>>
>> (*) My app is running on a Websphere app server.
>>
>> But it does not seem to work, after performing the changes and redeploying
>> the app I can still go to: http://server:port
>> /AppName/images/image_name.jpg
>> and the image is displayed.
>>
>> Do you guys have any idea on how to fix this?
>>
>> I appreciate your help!
>> Eric
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Restrict direct access to static content
Posted by Alex Lopez <al...@flordeutopia.pt>.
Correct me if I'm wrong, I think you could achieve this by doing:
in web.xml:
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and in struts.xml:
<constant name="struts.action.extension" value=""/>
<constant name="struts.action.excludePattern" value="/js/.*, /css/.*,
/img/.*"/>
so struts2 catches all url requests as actions, unless specified in the
excludePattern list. In your case, I think you would want a blank
excludePattern (although I don't see why someone would want to restrict
access to images etc... intended to be loaded as part of the page).
Em 16-02-2011 15:17, Luis Eric López Fernández escreveu:
> Hello there,
>
> I am new with Struts2 and I need to restrict direct access to my app's
> static content. Right now users can access to images, css, js, and pdfs by
> directly typing in the resource URL, something like:
>
> http://server:port/AppName/images/image_name.jpg
>
> Will take them to the place where the image is stored.
>
> As far as I can understand restricting that access is not something that can
> be done in the struts.xml file because of the following statement:
>
> "Requests for static resources, such as images and CSS files, bypass the
> controller and are handled directly by the container."
> (Struts2DesignAndProgramming, page 21)
>
> So my first attempt to fix this is by adding the following lines to the
> web.xml file:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>RestrictedDirectories</web-resource-name>
>
> <url-pattern>/AppName/images/*</url-pattern>
>
> </web-resource-collection>
> </security-constraint>
>
> (*) My app is running on a Websphere app server.
>
> But it does not seem to work, after performing the changes and redeploying
> the app I can still go to: http://server:port/AppName/images/image_name.jpg
> and the image is displayed.
>
> Do you guys have any idea on how to fix this?
>
> I appreciate your help!
> Eric
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Restrict direct access to static content
Posted by Luis Eric López Fernández <lu...@gmail.com>.
It *sounds* like what you're trying to do is to only allow access to
static resources if they're requested from within a web page--is that
correct? *That's correct Dave!*
Why* are you trying to do that? The answer may dictate the solution.
You can always stream static resources to the browser via S2, but...
if it's page-level resources (images, CSS, etc.) I don't see the
point. PDFs etc. I could understand. *I don't understand the reason for
restricting access to images, js and css but I've been requested to do it
hehe*
Isn't security-contraint supposed to restrict the access to the specified
url-patterns?
Do you know any way to implement that using struts2?
My original problem is that in my struts.xml file I can only define actions,
therefore something like this:
http://server:port/AppName/
images/image_name.jpg Won't map to any action and it'll be directly handled
by the container.
Is there any way to define a default response for non-action requests??
There's a way to define default actions, for example if the user types in an
action that does not exist such as:
http://server:port/AppName/home/Hehehe.action
I am using the following tag: <default-action-ref name="Home" /> and it
makes sure to always direct all the actions to Home
Is there any way to do that.. for everything-else requests? Requests like:
http://server:port/AppName/images/image_name.jpg
http://server:port/AppName/pdf/contract.pdf
http://server:port/AppName/css/styles.css
(*) Sorry If I'm asking dumb things, like I mentioned in my first email I am
new with struts2
Thanks for your help!
Eric
Re: Restrict direct access to static content
Posted by Dave Newton <da...@gmail.com>.
2011/2/16 Luis Eric López Fernández wrote:
> So my first attempt to fix this is by adding the following lines to the
> web.xml file:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>RestrictedDirectories</web-resource-name>
>
> <url-pattern>/AppName/images/*</url-pattern>
>
> </web-resource-collection>
> </security-constraint>
>
> (*) My app is running on a Websphere app server.
>
> But it does not seem to work, after performing the changes and redeploying
> the app I can still go to: http://server:port/AppName/images/image_name.jpg
> and the image is displayed.
>
> Do you guys have any idea on how to fix this?
If you're having an issue with WebSphere, I'd try asking on a WebSphere forum.
IMO it'd be inappropriate to handle this requirement with S2, since
it's not really S2-related.
It *sounds* like what you're trying to do is to only allow access to
static resources if they're requested from within a web page--is that
correct?
*Why* are you trying to do that? The answer may dictate the solution.
You can always stream static resources to the browser via S2, but...
if it's page-level resources (images, CSS, etc.) I don't see the
point. PDFs etc. I could understand.
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org