You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Iñaki <41...@cepsz.unizar.es> on 2003/04/25 15:14:47 UTC
Forbid access to files to non-authenticated requests
Hi guys,
I'm implementing some web services based on Java & JSP. I'm using Apache for
serving the static contents and Tomcat(3.2) for jsp's & servlets. Everything on
W2K.
Some of the pages require authentication, and I manage this at program level:
if the user authentications against the database is positive, session becomes
valid and the pages are returned.
My question starts here:
this pages can contain links to files for displaying and/or downloading
(images, documents, zips...). Although the 'container' pages cannot be returned
without positive authentication, nothing prevents a non-authenticated user to
access the referenced files (the files referenced in the links) just by knowing
the path and entering it in the browser.
Does anybody know a way of restricting the direct access to these 'referenced'
files unless the request comes from an authenticated session?
One possible solution I'm thinking is to create a special handler and add such
couple of lines to the file 'tomcat-apache.conf':
AddType root/zipfiles .zip
AddHandler newHandlerForZips .zip
This looks quite complex for me and maybe there is another simpler soluion I'm
missing. Any idea? In case this is the solution, how complex is to develop a
handler?
Any input appreciated.
Cheers,
Iñaki.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Forbid access to files to non-authenticated requests
Posted by John Turner <to...@johnturner.com>.
Sorry, I have no clue if that's even possible. Perhaps someone else does.
John
On Fri, 25 Apr 2003 16:22:02 +0200, Iñaki <41...@cepsz.unizar.es> wrote:
> John,
>
> Thanks a lot for the prompt answer. It's really a more simple solution
> than my initial thought.
>
> I'm still missing something: As I understand it, it should work fine when
> displaying, either using the tag <A> or <IMG>. However, if client wants
> to save the file (option 'save target as'), the proposed name to be saved
> will be the name of the request ('jspName.jsp?filename.ext'). Of course
> the user can manually change this name and give the right format, but is
> there a way to provide the 'save as' window with the right name? Maybe
> any parameter in the ServletResponse class?
>
>
> Thanks,
> Iñaki.
>
>
> Mensaje citado por John Turner <to...@johnturner.com>:
>
>>
>> In my mind, the simplest solution is to put these files someplace where
>> they are protected (like under WEB-INF).
>>
>> Then, the link on the page is simply a link to a JSP with a URL
>> parameter of the file requested. Your JSP can authenticate against the
>> session, and if OK, read the file from the disk into a buffer and stream
>> it out to the client.
>>
>> John
>>
>> On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <41...@cepsz.unizar.es>
>> wrote:
>>
>> > Hi guys,
>> >
>> > I'm implementing some web services based on Java & JSP. I'm using
>> Apache > for serving the static contents and Tomcat(3.2) for jsp's &
>> servlets. > Everything on W2K.
>> >
>> > Some of the pages require authentication, and I manage this at program
>> > level: if the user authentications against the database is positive, >
>> session becomes valid and the pages are returned.
>> >
>> > My question starts here:
>> > this pages can contain links to files for displaying and/or
>> downloading > (images, documents, zips...). Although the 'container'
>> pages cannot be > returned without positive authentication, nothing
>> prevents a non-> authenticated user to access the referenced files (the
>> files referenced > in the links) just by knowing the path and entering
>> it in the browser.
>> >
>> > Does anybody know a way of restricting the direct access to these >
>> 'referenced' files unless the request comes from an authenticated >
>> session?
>> >
>> > One possible solution I'm thinking is to create a special handler and
>> add
>>
>> > such couple of lines to the file 'tomcat-apache.conf':
>> > AddType root/zipfiles .zip
>> > AddHandler newHandlerForZips .zip
>> >
>> > This looks quite complex for me and maybe there is another simpler >
>> soluion I'm missing. Any idea? In case this is the solution, how complex
>> > is to develop a handler?
>> >
>> >
>> > Any input appreciated.
>> >
>> >
>> > Cheers,
>> > Iñaki.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> >
>> >
>>
>>
>>
>> -- Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Forbid access to files to non-authenticated requests
Posted by Tim Funk <fu...@joedog.org>.
Add a header called Content-Disposition.
http://www.faqs.org/ftp/rfc/rfc2183.txt
http://marc.theaimsgroup.com/?l=tomcat-user&m=105057713915896&w=2
-Tim
Iñaki wrote:
> John,
>
> Thanks a lot for the prompt answer. It's really a more simple solution than my
> initial thought.
>
> I'm still missing something: As I understand it, it should work fine when
> displaying, either using the tag <A> or <IMG>. However, if client wants to save
> the file (option 'save target as'), the proposed name to be saved will be the
> name of the request ('jspName.jsp?filename.ext'). Of course the user can
> manually change this name and give the right format, but is there a way to
> provide the 'save as' window with the right name? Maybe any parameter in the
> ServletResponse class?
>
>
> Thanks,
> Iñaki.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Forbid access to files to non-authenticated requests
Posted by Iñaki <41...@cepsz.unizar.es>.
John,
Thanks a lot for the prompt answer. It's really a more simple solution than my
initial thought.
I'm still missing something: As I understand it, it should work fine when
displaying, either using the tag <A> or <IMG>. However, if client wants to save
the file (option 'save target as'), the proposed name to be saved will be the
name of the request ('jspName.jsp?filename.ext'). Of course the user can
manually change this name and give the right format, but is there a way to
provide the 'save as' window with the right name? Maybe any parameter in the
ServletResponse class?
Thanks,
Iñaki.
Mensaje citado por John Turner <to...@johnturner.com>:
>
> In my mind, the simplest solution is to put these files someplace where
> they are protected (like under WEB-INF).
>
> Then, the link on the page is simply a link to a JSP with a URL parameter
> of the file requested. Your JSP can authenticate against the session, and
> if OK, read the file from the disk into a buffer and stream it out to the
> client.
>
> John
>
> On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <41...@cepsz.unizar.es> wrote:
>
> > Hi guys,
> >
> > I'm implementing some web services based on Java & JSP. I'm using Apache
> > for serving the static contents and Tomcat(3.2) for jsp's & servlets.
> > Everything on W2K.
> >
> > Some of the pages require authentication, and I manage this at program
> > level: if the user authentications against the database is positive,
> > session becomes valid and the pages are returned.
> >
> > My question starts here:
> > this pages can contain links to files for displaying and/or downloading
> > (images, documents, zips...). Although the 'container' pages cannot be
> > returned without positive authentication, nothing prevents a non-
> > authenticated user to access the referenced files (the files referenced
> > in the links) just by knowing the path and entering it in the browser.
> >
> > Does anybody know a way of restricting the direct access to these
> > 'referenced' files unless the request comes from an authenticated
> > session?
> >
> > One possible solution I'm thinking is to create a special handler and add
>
> > such couple of lines to the file 'tomcat-apache.conf':
> > AddType root/zipfiles .zip
> > AddHandler newHandlerForZips .zip
> >
> > This looks quite complex for me and maybe there is another simpler
> > soluion I'm missing. Any idea? In case this is the solution, how complex
> > is to develop a handler?
> >
> >
> > Any input appreciated.
> >
> >
> > Cheers,
> > Iñaki.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Forbid access to files to non-authenticated requests
Posted by John Turner <to...@johnturner.com>.
In my mind, the simplest solution is to put these files someplace where
they are protected (like under WEB-INF).
Then, the link on the page is simply a link to a JSP with a URL parameter
of the file requested. Your JSP can authenticate against the session, and
if OK, read the file from the disk into a buffer and stream it out to the
client.
John
On Fri, 25 Apr 2003 15:14:47 +0200, Iñaki <41...@cepsz.unizar.es> wrote:
> Hi guys,
>
> I'm implementing some web services based on Java & JSP. I'm using Apache
> for serving the static contents and Tomcat(3.2) for jsp's & servlets.
> Everything on W2K.
>
> Some of the pages require authentication, and I manage this at program
> level: if the user authentications against the database is positive,
> session becomes valid and the pages are returned.
>
> My question starts here:
> this pages can contain links to files for displaying and/or downloading
> (images, documents, zips...). Although the 'container' pages cannot be
> returned without positive authentication, nothing prevents a non-
> authenticated user to access the referenced files (the files referenced
> in the links) just by knowing the path and entering it in the browser.
>
> Does anybody know a way of restricting the direct access to these
> 'referenced' files unless the request comes from an authenticated
> session?
>
> One possible solution I'm thinking is to create a special handler and add
> such couple of lines to the file 'tomcat-apache.conf':
> AddType root/zipfiles .zip
> AddHandler newHandlerForZips .zip
>
> This looks quite complex for me and maybe there is another simpler
> soluion I'm missing. Any idea? In case this is the solution, how complex
> is to develop a handler?
>
>
> Any input appreciated.
>
>
> Cheers,
> Iñaki.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org