Re: Authentication for streaming file (OT)
Have you tried other browsers than MSIE? If it works for FireFox, then you've probably hit http://issues.apache.org/bugzilla/show_bug.cgi?id=28750. Mark Leone [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Slightly off-topic -- Tomcat related I have a servlet that is invoked by clicking a hyperlink that is rendered by a JSP running in Tomcat. The servlet receives a file path parameter in the HTTP request, and then streams that file to the requesting client. I have a security-constraint/ defined in Tomcat for the JSP, requiring basic password authentication. However, if I define the security-constraint/ so that it applies to the servlet also, then the following error occurs when the servlet attempts to stream the file to the client. The browser presents the file info and prompts to save or open the file, but then when the actual streaming is attempted, the browser reports that the site is unreachable. This is apparently caused by the lack of any authentication during the file streaming operation, because when I define the security-constraint/ so that it applies to the JSP but not the servlet, the problem does not occur. I don't really understand why it behaves this way, since the servlet was invoked with proper authorization, and the problem occurs only when the servlet starts streaming a file to the client. But it does seem to be an authorization problem, since it goes away when I don't constrain the servlet for authentication. I can operate this way, but then my JSP is protected and the servlet is not. Is there a way to specify authentication parameters during the file streaming operation? Does anyone have an explanation for what I'm experiencing? Here's my servlet code: public class FileSender extends HttpServlet{ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ String filename = request.getParameter(file); File file = new File(filename); MimetypesFileTypeMap mimeTypes = new MimetypesFileTypeMap (C:\\Program Files\\Java\\jdk1.5.0_01\\lib\\mime.types); String mime = mimeTypes.getContentType(file); response.setContentType(mime); response.setHeader(Content-Disposition, attachment; + filename= + file.getName()); FileInputStream in = new FileInputStream(file); OutputStream out = response.getOutputStream(); byte[] buf = new byte[1024]; int i = 0; while((i=in.read(buf))!=-1) { out.write(buf, 0, i); } in.close(); out.close(); } } And here's my web.xml. With this configuration, the file downolad fails as described above. To make it work, I remove the second url-pattern/ element as indicated. !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app display-name File Port /display-name description Makes files available through the web container /description servlet servlet-nameFilePort/servlet-name description Retrieves specified file and sends it to requester /description servlet-classFileSnatcher.FileSender/servlet-class /servlet servlet-mapping servlet-nameFilePort/servlet-name url-pattern/FilePort/url-pattern /servlet-mapping !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameFileSnatcher/web-resource-name url-pattern*.jsp/url-pattern url-pattern/FilePort/url-pattern !-- remove this to make it work -- /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the Manager Application /description role-namemanager/role-name /security-role /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication for streaming file (OT)
Yes, that's exactly my problem. It only fails with HTTPS connections on IE. It works with Firefox (using the built-in download manager or Flashgot) as well as Safari on a Mac. Nice to see, according to a posting in the BZ link you provided, that M$ has decided to label it a feature rather than a bug. I applied the workaround you described in BZ #27122, and it now works properly with all resources of the web app protected by a security-constraint/. Thanks for pointing me to the solution. -Mark Bill Barker wrote: Have you tried other browsers than MSIE? If it works for FireFox, then you've probably hit http://issues.apache.org/bugzilla/show_bug.cgi?id=28750. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication for streaming file (OT)
Slightly off-topic -- Tomcat related I have a servlet that is invoked by clicking a hyperlink that is rendered by a JSP running in Tomcat. The servlet receives a file path parameter in the HTTP request, and then streams that file to the requesting client. I have a security-constraint/ defined in Tomcat for the JSP, requiring basic password authentication. However, if I define the security-constraint/ so that it applies to the servlet also, then the following error occurs when the servlet attempts to stream the file to the client. The browser presents the file info and prompts to save or open the file, but then when the actual streaming is attempted, the browser reports that the site is unreachable. This is apparently caused by the lack of any authentication during the file streaming operation, because when I define the security-constraint/ so that it applies to the JSP but not the servlet, the problem does not occur. I don't really understand why it behaves this way, since the servlet was invoked with proper authorization, and the problem occurs only when the servlet starts streaming a file to the client. But it does seem to be an authorization problem, since it goes away when I don't constrain the servlet for authentication. I can operate this way, but then my JSP is protected and the servlet is not. Is there a way to specify authentication parameters during the file streaming operation? Does anyone have an explanation for what I'm experiencing? Here's my servlet code: public class FileSender extends HttpServlet{ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ String filename = request.getParameter(file); File file = new File(filename); MimetypesFileTypeMap mimeTypes = new MimetypesFileTypeMap (C:\\Program Files\\Java\\jdk1.5.0_01\\lib\\mime.types); String mime = mimeTypes.getContentType(file); response.setContentType(mime); response.setHeader(Content-Disposition, attachment; + filename= + file.getName()); FileInputStream in = new FileInputStream(file); OutputStream out = response.getOutputStream(); byte[] buf = new byte[1024]; int i = 0; while((i=in.read(buf))!=-1) { out.write(buf, 0, i); } in.close(); out.close(); } } And here's my web.xml. With this configuration, the file downolad fails as described above. To make it work, I remove the second url-pattern/ element as indicated. !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app display-name File Port /display-name description Makes files available through the web container /description servlet servlet-nameFilePort/servlet-name description Retrieves specified file and sends it to requester /description servlet-classFileSnatcher.FileSender/servlet-class /servlet servlet-mapping servlet-nameFilePort/servlet-name url-pattern/FilePort/url-pattern /servlet-mapping !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameFileSnatcher/web-resource-name url-pattern*.jsp/url-pattern url-pattern/FilePort/url-pattern !-- remove this to make it work -- /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the Manager Application /description role-namemanager/role-name /security-role /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]