The guard can be do with the turbine servlet with a org.apache.turbine.modules.screens.RawScreen
here is some code that do that kind of things to understand fully that code, please refer to the turbine framework http://jakarta.apache.org/turbine/ public class LoadSecuredResource extends RawScreen { private String requestedResource = null; private String requestedKind = null; protected void doOutput(RunData runData) throws Exception { Log.debug("LoadSecuredStatistics.doOutput"); boolean isContentManager = PermissionChecker.isContentManager(runData); boolean isSalesManager = PermissionChecker.isSalesManager(runData); boolean isPlatformAdministrator = PermissionChecker.isPlatformAdministrator(runData); OutputStream out = runData.getResponse().getOutputStream(); if (! (isContentManager || isSalesManager || isPlatformAdministrator)) { out.write(new byte[0]); } else if (isPlatformAdministrator) { out.write(new byte[0]); } else if (isSalesManager) { out.write(loadResource(requestedResource)); } else if (isContentManager) { if (canRead(runData.getUser(), requestedResource)) { out.write(loadResource(requestedResource)); } else { out.write(new byte[0]); } } else { out.write(new byte[0]); } } protected String getContentType(RunData runData) { Log.debug("LoadSecuredStatistics.doOutput"); requestedResource = runData.getParameters().getString("resource"); String contentType = null; if (requestedResource.endsWith("csv")) { contentType = "txt/plain"; requestedKind = "csv"; } else if (requestedResource.endsWith("jpeg")) { contentType = "image/jpeg"; requestedKind = "jpeg"; } else { contentType = "txt/plain"; requestedKind = "none"; } return contentType; } private boolean canRead(User contentManager, String requestedResource) { boolean canRead = false; try { CustomerAccount account = ModelUtils.getAccountFor(contentManager); Application application = account.getApplicationById( new Integer(requestedResource.substring(0, requestedResource.indexOf('_'))).intValue() ); if (application != null) { canRead = true; } } catch (Exception e) { // do nothing } return canRead; } private byte[] loadResource(String requestedResource) throws Exception { File file = new File(Turbine.getRealPath("/statistics/" + requestedResource)); int fileLength = (int) file.length(); DataInputStream dis = new DataInputStream(new FileInputStream(file)); byte[] byteArray = new byte[fileLength]; dis.readFully(byteArray); dis.close(); return byteArray; } } --- "Frost, Gary [IT]" <[EMAIL PROTECTED]> a �crit�: > Unless I'm missing something it sounds like a Filter Servlet would do > the > trick here. > > Put the following into ur web.xml > > <filter> > <filter-name>DownloadGuardFilter</filter-name> > <display-name>Guard the Downloads</display-name> > <description>Blah blah blah</description> > <filter-class>com.myproj.web.GuardFilter</filter-class> > </filter> > <filter-mapping> > <filter-name>DownloadGuardFilter</filter-name> > <url-pattern/downloaddir/*</url-pattern> > </filter-mapping> > > This way your com.myproj.web.GuardFilter will get called for every > access to > /download > > Have ur servlet implements Filter and your away, you'll have access > to the > url and the ServletRequest (cast to HttpServletRequest) and hence > session, > url etc, exactly as you require. > > Gary > > -----Original Message----- > From: Robert Priest [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 29 July 2003 2:05 AM > To: 'Jakarta Commons Users List' > Subject: RE: Serving files through a Servlet? > > > Yes, they do. > > Please allow me to do a bit more explaining... > > Also (a bit more information) the URL for the download will contain a > session id for the user. So if you will allow me to modify my > example: > > Say user A logs in and has a session id of "1" and wants to download > abc.jar. He will be redirected to the url: > http://localhost/myservlet/downloaddir/1/abc.jar > > now I would like to put in place a guard servlet. So in myservlet's > web.xml > I will add > > <servlet-mapping> > <servlet-name>com.myproj.web.GUARD</servlet-name> > <url-pattern>/downloaddir/*</url-pattern> > </servlet-mapping> > > The intention is for the "Guard" servlet to: > > 1. Inspect the url for sessionid ("1" in this case"). > 2. Get it and compare it to the current session id (session.getID()). > 3. if the two match, then start an http download. > 4. If not then, throw up an "Access Denied" error page. > > That is pretty much all we need to do. I also don't want to add > basic\Form > authentication at this point for those directories. We simply want to > match > whether the session id in the url is the same as the one the current > user is > using. > > That way, if another user, who will have a different session number > (3 or > what have you) tries to paste in: > > http://localhost/myservlet/downloaddir/1/abc.jar > > he\she will get an access denied. > > Is that more understandable? > > We are trying to prevent cutting and pasting of urls. > > > > > -----Original Message----- > From: Schalk [mailto:[EMAIL PROTECTED] > Sent: Monday, July 28, 2003 11:38 AM > To: 'Jakarta Commons Users List' > Subject: RE: Serving files through a Servlet? > > > Robert > > Do your users have to log in before accessing these downloadable > files? > > Kind Regards > Schalk Neethling > Volume4.Development.Multimedia.Branding > emotionalize.conceptualize.visualize.realize > Tel: +27125468436 > Fax: +27125468436 > email:[EMAIL PROTECTED] > web: www.volume4.co.za > > > :: -----Original Message----- > :: From: Robert Priest [mailto:[EMAIL PROTECTED] > :: Sent: Monday, July 28, 2003 4:37 PM > :: To: '[EMAIL PROTECTED]' > :: Subject: RE: Serving files through a Servlet? > :: > :: Hello All, > :: > :: I am sorry. I was only subscribed to the Dev list, not the user. I > am > :: subscribed now however. > :: > :: If someone replied to this message, could you forward it to me... > Thank > you. > :: > :: > :: Also, I had another question: > :: > :: How can I check for a Valid session id before allowing access to a > file? > :: > :: For example: > :: > :: - I have a directory containing files for download: > :: http://localhost/myservlet/downloaddir/ > :: - but before you download a file, say abc.jar (by using > :: "http://localhost/myservlet/downloaddir/ > :: abc.jar"), I want to make sure that you have a valid session id. > If your > :: session id is invalid, you get an access denied page. if not, you > are > :: allowed to download. > :: > :: so I guess what I want is to intercept any request to that > "downloaddir" > :: and perform session\security checking (by another servlet or jsp > page) > :: before allowing access... > :: > :: > :: Is there something in the commons package for that, or is this a > question > :: more for the "tomcat users" list? > :: > :: > :: Thank you. > :: > -----Original Message----- > :: > From: Robert Priest > :: > Sent: Monday, July 28, 2003 9:47 AM > :: > To: '[EMAIL PROTECTED]' > :: > Subject: FW: Serving files through a Servlet? > :: > > :: > > :: > > :: > -----Original Message----- > :: > From: Robert Priest > :: > Sent: Monday, July 28, 2003 9:19 AM > :: > To: '[EMAIL PROTECTED]' > :: > Subject: Serving files through a Servlet? > :: > > :: > Is there anything in the jakarta-commons package that will allow > one to > :: > serve files through a servlet? I would like to have requests for > :: > downloading files come through a servlet instead of serving them > directly > :: > from an "http" accessible directory... > :: > > :: > > :: > > :: > :: > --------------------------------------------------------------------- > :: To unsubscribe, e-mail: > [EMAIL PROTECTED] > :: For additional commands, e-mail: > [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > === message truncated === ===== ------------------------------------ | Rapha�l Pi�roni | | 33+ 223 351 354 | | mailto:[EMAIL PROTECTED] | | http://www.dexem.com | | mailing:[EMAIL PROTECTED] | ------------------------------------ ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en fran�ais ! Yahoo! Mail : http://fr.mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
