You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Ralph Einfeldt <ra...@uptime-isc.de> on 2001/07/03 15:16:39 UTC

Protecting static resources with tomcat and apache

Can somebody answer this question or provide a link ?

  If using Tomcat 3.2/4.0 with apache and form based 
  login, will the resources that are served directly
  by apache be protected, and how is it done ?

As far as I understood tomcat stores username and
password in the session and checks on each request
if the requested resource is proteted and the stored
user has the credentials to access it.
(org/apache/tomcat/request/AccessInterceptor.java)

But apache doesn't know anything about the tomcat 
session (it may know the session id from the cookie
or the url but has no access to the internal data
of the session) so how can apache protect the static 
resources ?