You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Klancer <ca...@calhoun.plus.com> on 2003/03/28 13:26:02 UTC
Limiting access to mapped resources using jk2, IIS 5.0, and Tomcat 4.1.20
I have setup IIS with isapi_redirector2.dll to map all requests to
www.server.com/foo to my Tomcat server running ajp13 (using jk2) on port
8009. This works well. However, Tomcat (4.1.20) is running a servlet
with access to sensitive data, so I want to make sure not just anyone
can access /foo. As it stands now, the rest of the website (.asp pages)
are all password protected. So, the first time a user attempts to access
a page, they have to authenticate and then are able to access the
remaining pages as long as their session is kept alive. I want to place
/foo behind the same password scheme.
However, currently anyone can make their own web page with an <applet>
tag with "codebase='http://www.server.com/foo'" and can access the
sensitive servlet. I want to deny this behavior, so basically that comes
down to two requirements:
1) User directly requests /foo -> Request denied
2) User requests http://www.server.com/page.asp which requests /foo ->
Request succeeds
Note that I don't have access to the servlet source, and I would rather
not edit the isapi_redirector2 source if I don't have to. I can't
imagine I'm the first person to have this issue, so I'd like to know a
solution! If you can help, I'd very much appreciate it.
Thank you
- John
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Limiting access to mapped resources using jk2, IIS 5.0, and Tomcat 4.1.20
Posted by Bill Barker <wb...@wilshire.com>.
It's simple enough to configure the /foo context to require BASIC
authentication for the entire app, but it seems that you want more.
It is also easy enough to write a Filter that does what you want. The
following is an over-simplified version:
public class myAccessFilter implements Filter {
public myAccessFilter() {}
public void init(FilterConfig conf) {}
public void destroy() {}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain
chain)
throws ServletException, IOException {
if( ! (req instanceof HttpServletRequest) ) {
return; // Can't happen with Tomcat
}
HttpServletRequest hReq = (HttpServletRequest)req;
HttpServletResponse hRes = (HttpServletResponse)res;
String from = req.getHeader("referer");
if(from == null) { // problem case, since bookmarks work this way
// decide how you want to deal
} else if( ! from.startsWith("http://www.server.com/") {
hRes.sendError(HttpServletResponse.SC_FORBIDDEN,"Not allowed");
return;
}
chain.doFilter(req, res);
}
}
"John Klancer" <ca...@calhoun.plus.com> wrote in message
news:000e01c2f525$321ea760$36139fd4@abba...
> I have setup IIS with isapi_redirector2.dll to map all requests to
> www.server.com/foo to my Tomcat server running ajp13 (using jk2) on port
> 8009. This works well. However, Tomcat (4.1.20) is running a servlet
> with access to sensitive data, so I want to make sure not just anyone
> can access /foo. As it stands now, the rest of the website (.asp pages)
> are all password protected. So, the first time a user attempts to access
> a page, they have to authenticate and then are able to access the
> remaining pages as long as their session is kept alive. I want to place
> /foo behind the same password scheme.
>
> However, currently anyone can make their own web page with an <applet>
> tag with "codebase='http://www.server.com/foo'" and can access the
> sensitive servlet. I want to deny this behavior, so basically that comes
> down to two requirements:
> 1) User directly requests /foo -> Request denied
> 2) User requests http://www.server.com/page.asp which requests /foo ->
> Request succeeds
>
> Note that I don't have access to the servlet source, and I would rather
> not edit the isapi_redirector2 source if I don't have to. I can't
> imagine I'm the first person to have this issue, so I'd like to know a
> solution! If you can help, I'd very much appreciate it.
>
> Thank you
>
> - John
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org