You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Iñaki <41...@cepsz.unizar.es> on 2003/04/25 15:14:47 UTC

Forbid access to files to non-authenticated requests

Hi guys,

I'm implementing some web services based on Java & JSP. I'm using Apache for 
serving the static contents and Tomcat(3.2) for jsp's & servlets. Everything on 
W2K.

Some of the pages require authentication, and I manage this at program level: 
if the user authentications against the database is positive, session becomes 
valid and the pages are returned.

My question starts here:
this pages can contain links to files for displaying and/or downloading 
(images, documents, zips...). Although the 'container' pages cannot be returned 
without positive authentication, nothing prevents a non-authenticated user to 
access the referenced files (the files referenced in the links) just by knowing 
the path and entering it in the browser.

Does anybody know a way of restricting the direct access to these 'referenced' 
files unless the request comes from an authenticated session?

One possible solution I'm thinking is to create a special handler and add such 
couple of lines to the file 'tomcat-apache.conf':
     AddType      root/zipfiles .zip
     AddHandler   newHandlerForZips .zip

This looks quite complex for me and maybe there is another simpler soluion I'm 
missing. Any idea? In case this is the solution, how complex is to develop a 
handler?


Any input appreciated.


Cheers,
Iñaki.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Forbid access to files to non-authenticated requests

Posted by John Turner <to...@johnturner.com>.

Sorry, I have no clue if that's even possible.  Perhaps someone else does.

John

On Fri, 25 Apr 2003 16:22:02 +0200, Iñaki <41...@cepsz.unizar.es> wrote:

> John,
>
> Thanks a lot for the prompt answer. It's really a more simple solution 
> than my initial thought.
>
> I'm still missing something: As I understand it, it should work fine when 
> displaying, either using the tag <A> or <IMG>. However, if client wants 
> to save the file (option 'save target as'), the proposed name to be saved 
> will be the name of the request ('jspName.jsp?filename.ext'). Of course 
> the user can manually change this name and give the right format, but is 
> there a way to provide the 'save as' window with the right name? Maybe 
> any parameter in the ServletResponse class?
>
>
> Thanks,
> Iñaki.
>
>
> Mensaje citado por John Turner <to...@johnturner.com>:
>
>>
>> In my mind, the simplest solution is to put these files someplace where 
>> they are protected (like under WEB-INF).
>>
>> Then, the link on the page is simply a link to a JSP with a URL 
>> parameter of the file requested.  Your JSP can authenticate against the 
>> session, and if OK, read the file from the disk into a buffer and stream 
>> it out to the client.
>>
>> John
>>
>> On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <41...@cepsz.unizar.es> 
>> wrote:
>>
>> > Hi guys,
>> >
>> > I'm implementing some web services based on Java & JSP. I'm using 
>> Apache > for serving the static contents and Tomcat(3.2) for jsp's & 
>> servlets. > Everything on W2K.
>> >
>> > Some of the pages require authentication, and I manage this at program 
>> > level: if the user authentications against the database is positive, > 
>> session becomes valid and the pages are returned.
>> >
>> > My question starts here:
>> > this pages can contain links to files for displaying and/or 
>> downloading > (images, documents, zips...). Although the 'container' 
>> pages cannot be > returned without positive authentication, nothing 
>> prevents a non-> authenticated user to access the referenced files (the 
>> files referenced > in the links) just by knowing the path and entering 
>> it in the browser.
>> >
>> > Does anybody know a way of restricting the direct access to these > 
>> 'referenced' files unless the request comes from an authenticated > 
>> session?
>> >
>> > One possible solution I'm thinking is to create a special handler and 
>> add
>>
>> > such couple of lines to the file 'tomcat-apache.conf':
>> > AddType      root/zipfiles .zip
>> > AddHandler   newHandlerForZips .zip
>> >
>> > This looks quite complex for me and maybe there is another simpler > 
>> soluion I'm missing. Any idea? In case this is the solution, how complex 
>> > is to develop a handler?
>> >
>> >
>> > Any input appreciated.
>> >
>> >
>> > Cheers,
>> > Iñaki.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> >
>> >
>>
>>
>>
>> -- Using M2, Opera's revolutionary e-mail client: 
>> http://www.opera.com/m2/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Forbid access to files to non-authenticated requests

Posted by Tim Funk <fu...@joedog.org>.

Add a header called Content-Disposition.
http://www.faqs.org/ftp/rfc/rfc2183.txt

http://marc.theaimsgroup.com/?l=tomcat-user&m=105057713915896&w=2

-Tim

Iñaki wrote:
> John,
> 
> Thanks a lot for the prompt answer. It's really a more simple solution than my 
> initial thought.
> 
> I'm still missing something: As I understand it, it should work fine when 
> displaying, either using the tag <A> or <IMG>. However, if client wants to save 
> the file (option 'save target as'), the proposed name to be saved will be the 
> name of the request ('jspName.jsp?filename.ext'). Of course the user can 
> manually change this name and give the right format, but is there a way to 
> provide the 'save as' window with the right name? Maybe any parameter in the 
> ServletResponse class?
> 
> 
> Thanks,
> Iñaki.
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Forbid access to files to non-authenticated requests

Posted by Iñaki <41...@cepsz.unizar.es>.

John,

Thanks a lot for the prompt answer. It's really a more simple solution than my 
initial thought.

I'm still missing something: As I understand it, it should work fine when 
displaying, either using the tag <A> or <IMG>. However, if client wants to save 
the file (option 'save target as'), the proposed name to be saved will be the 
name of the request ('jspName.jsp?filename.ext'). Of course the user can 
manually change this name and give the right format, but is there a way to 
provide the 'save as' window with the right name? Maybe any parameter in the 
ServletResponse class?


Thanks,
Iñaki.


Mensaje citado por John Turner <to...@johnturner.com>:

> 
> In my mind, the simplest solution is to put these files someplace where 
> they are protected (like under WEB-INF).
> 
> Then, the link on the page is simply a link to a JSP with a URL parameter 
> of the file requested.  Your JSP can authenticate against the session, and 
> if OK, read the file from the disk into a buffer and stream it out to the 
> client.
> 
> John
> 
> On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <41...@cepsz.unizar.es> wrote:
> 
> > Hi guys,
> >
> > I'm implementing some web services based on Java & JSP. I'm using Apache 
> > for serving the static contents and Tomcat(3.2) for jsp's & servlets. 
> > Everything on W2K.
> >
> > Some of the pages require authentication, and I manage this at program 
> > level: if the user authentications against the database is positive, 
> > session becomes valid and the pages are returned.
> >
> > My question starts here:
> > this pages can contain links to files for displaying and/or downloading 
> > (images, documents, zips...). Although the 'container' pages cannot be 
> > returned without positive authentication, nothing prevents a non- 
> > authenticated user to access the referenced files (the files referenced 
> > in the links) just by knowing the path and entering it in the browser.
> >
> > Does anybody know a way of restricting the direct access to these 
> > 'referenced' files unless the request comes from an authenticated 
> > session?
> >
> > One possible solution I'm thinking is to create a special handler and add
> 
> > such couple of lines to the file 'tomcat-apache.conf':
> > AddType      root/zipfiles .zip
> > AddHandler   newHandlerForZips .zip
> >
> > This looks quite complex for me and maybe there is another simpler 
> > soluion I'm missing. Any idea? In case this is the solution, how complex 
> > is to develop a handler?
> >
> >
> > Any input appreciated.
> >
> >
> > Cheers,
> > Iñaki.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> 
> 
> 
> -- 
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Forbid access to files to non-authenticated requests

Posted by John Turner <to...@johnturner.com>.

In my mind, the simplest solution is to put these files someplace where 
they are protected (like under WEB-INF).

Then, the link on the page is simply a link to a JSP with a URL parameter 
of the file requested.  Your JSP can authenticate against the session, and 
if OK, read the file from the disk into a buffer and stream it out to the 
client.

John

On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <41...@cepsz.unizar.es> wrote:

> Hi guys,
>
> I'm implementing some web services based on Java & JSP. I'm using Apache 
> for serving the static contents and Tomcat(3.2) for jsp's & servlets. 
> Everything on W2K.
>
> Some of the pages require authentication, and I manage this at program 
> level: if the user authentications against the database is positive, 
> session becomes valid and the pages are returned.
>
> My question starts here:
> this pages can contain links to files for displaying and/or downloading 
> (images, documents, zips...). Although the 'container' pages cannot be 
> returned without positive authentication, nothing prevents a non- 
> authenticated user to access the referenced files (the files referenced 
> in the links) just by knowing the path and entering it in the browser.
>
> Does anybody know a way of restricting the direct access to these 
> 'referenced' files unless the request comes from an authenticated 
> session?
>
> One possible solution I'm thinking is to create a special handler and add 
> such couple of lines to the file 'tomcat-apache.conf':
> AddType      root/zipfiles .zip
> AddHandler   newHandlerForZips .zip
>
> This looks quite complex for me and maybe there is another simpler 
> soluion I'm missing. Any idea? In case this is the solution, how complex 
> is to develop a handler?
>
>
> Any input appreciated.
>
>
> Cheers,
> Iñaki.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org