Re: Authentication with Tomcat + Apache
What would be the best sollution if I have resources (non-HTML like movies etc.) which I want to protect with a custom made authentication? use Servlets. serve binary data as the output stream instead of text/html . You can authenticate and do all your other ok, is this person authorized, what is the filename etc., and then serve the headers and the file. If you're interested in security, definitely do not have any part of the filename as a request parameter -- look up the filename in the database. There are packages that implement the raw binary serving in a rudimentary way, I'm thinking specifically: http://www.servlets.com/cos/index.html see the ServletUtils.returnFile method...this should get you started. Be sure to read the license before using or looking at this code. cheers fillup On 5/31/02 1:38 AM, Markus Kirsten [EMAIL PROTECTED] wrote: What would be the best sollution if I have resources (non-HTML like movies etc.) which I want to protect with a custom made authentication? I have a servlet which takes care of my authentication and I want this servlet to be able to either grant or permit access to a resource based on wheter the particular user has an account (in a back end database). Thank you! Markus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Authentication with Tomcat + Apache
Thank you. This was exactly what I was looking for. I thought that by opening a file for a servlet and then returning it like a stream to the client whould take too much resources but it also seemed like the only way I could whink of except for some kind of HTTP Authentication. But I haven't seen any packages out there that can verify a user with HTTP Authentication and then use som kind of RequestDispatcher. By the way, do you think that it's best to have the protected files on my Apache server with HTTP Authentication with a login/pass what Tomcat is aware of so Tomcat can get the resource and then send it to the user or is it better to have the files inside WEB/INF for example? I have both Apache and Tomcat running on the same machine. Markus On Friday, May 31, 2002, at 11:03 AM, Phillip Morelock wrote: What would be the best sollution if I have resources (non-HTML like movies etc.) which I want to protect with a custom made authentication? use Servlets. serve binary data as the output stream instead of text/html . You can authenticate and do all your other ok, is this person authorized, what is the filename etc., and then serve the headers and the file. If you're interested in security, definitely do not have any part of the filename as a request parameter -- look up the filename in the database. There are packages that implement the raw binary serving in a rudimentary way, I'm thinking specifically: http://www.servlets.com/cos/index.html see the ServletUtils.returnFile method...this should get you started. Be sure to read the license before using or looking at this code. cheers fillup -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Authentication with Tomcat + Apache
By the way, do you think that it's best to have the protected files on my Apache server with HTTP Authentication with a login/pass what Tomcat is aware of so Tomcat can get the resource and then send it to the user or is it better to have the files inside WEB/INF for example? I have both Apache and Tomcat running on the same machine. You shouldn't really be involving apache, unless you want to use HTTP authentication and have apache and tomcat individually configured for this. I personally would be using my own authentication (Form-based) and serve files after approval. You can choose not to put the files under the tomcat context. If you do NOT put the files under the context of your webapp, tomcat will silently refuse to serve them (IIRC). This involves a little bit of messing with the security manager, but it shouldn't be too big a deal. Check out conf/catalina.policy and also http://localhost:8080/tomcat-docs/security-manager-howto.html if you have the docs still installed (otherwise that doc should be on the jakarta site). If I am completely wrong here I hope someone will step up and correct me. fillup On 5/31/02 5:08 AM, Markus Kirsten [EMAIL PROTECTED] wrote: Thank you. This was exactly what I was looking for. I thought that by opening a file for a servlet and then returning it like a stream to the client whould take too much resources but it also seemed like the only way I could whink of except for some kind of HTTP Authentication. But I haven't seen any packages out there that can verify a user with HTTP Authentication and then use som kind of RequestDispatcher. By the way, do you think that it's best to have the protected files on my Apache server with HTTP Authentication with a login/pass what Tomcat is aware of so Tomcat can get the resource and then send it to the user or is it better to have the files inside WEB/INF for example? I have both Apache and Tomcat running on the same machine. Markus On Friday, May 31, 2002, at 11:03 AM, Phillip Morelock wrote: What would be the best sollution if I have resources (non-HTML like movies etc.) which I want to protect with a custom made authentication? use Servlets. serve binary data as the output stream instead of text/html . You can authenticate and do all your other ok, is this person authorized, what is the filename etc., and then serve the headers and the file. If you're interested in security, definitely do not have any part of the filename as a request parameter -- look up the filename in the database. There are packages that implement the raw binary serving in a rudimentary way, I'm thinking specifically: http://www.servlets.com/cos/index.html see the ServletUtils.returnFile method...this should get you started. Be sure to read the license before using or looking at this code. cheers fillup -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]