-----Original Message-----
From: Scott Waldner [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 23, 2005 4:00 PM
To: tomcat-user@jakarta.apache.org
Subject: RE: Blocking urls
Here is how we solved this problem using filters. This was tested on Tomcat
5.5.9 and WebSphere 6.0.
A 404 error is the standard error thrown from the web container when a
non-existent resource is requested. My goal was to send a 404 error when
these "restricted" resources were requested, so from a user's point of view
they cannot tell the difference between these "restricted" resources and any
other non-existent resource. As a follow on to this, I present the user
with a custom error page rather than the browser's default 404 error page.
The first thing to do is define the filter in the web.xml as follows:
<filter>
<filter-name>RestrictedUrls</filter-name>
<display-name>RestrictedUrls</display-name>
<filter-class>mypackage.RestrictedUrls</filter-class>
</filter>
...
<filter-mapping>
<filter-name>RestrictedUrls</filter-name>
<!-- Specify your restricted resources here.
I restrict everything in the "jsp" directory
from being accessed directly. -->
<url-pattern>/jsp/*</url-pattern>
</filter-mapping>
Here is the RestrictedUrls class:
--------------------------------------------------
package mypackage;
import java.io.IOException;
import javax.servlet.*;
public class RestrictedUrls implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest req,
ServletResponse resp,
FilterChain chain)
throws ServletException, IOException {
req.getRequestDispatcher("/404.jsp").forward(req, resp);
// Note: if you wanted to just send a 404 (page not found)
to
// to the browser rather than showing a custom error page, I
// assume you could do the following instead of the above.
// This worked on WebSphere, didn't try it on Tomcat yet.
// This may actually be the more elegant solution, because
you
// can define your error page in the web.xml rather than in
// the application code.
// ((HttpServletResponse)resp).sendError(404);
}
public void init(FilterConfig config) throws ServletException {
}
}
--------------------------------------------------
The final thing to do is define the custom error page for the 404 error.
This is optional, since you don't have to have an error page. You do this
in the web.xml file.
<error-page>
<error-code>404</error-code>
<location>/404.jsp</location>
</error-page>
I don't show the 404.jsp page here since that is standard jsp/html stuff.
This works great on most browsers, but I should point out that there is a
problem in IE because it will always display it's own error page when a 404
error is sent. The user will be blocked from the "restricted resources" (a
good thing) but they will be shown the IE 404 error page instead. That is a
different topic, but I did find a solution to that problem using filters if
anyone is interested.
Scott Waldner
Software Engineer
Metafile Information Systems, Inc.
-----Original Message-----
From: Jim Henderson [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 23, 2005 7:49 AM
To: Tomcat Users List
Subject: RE: Blocking urls
Found a solution: using filters to "block" direct access to the Web
pages.
-----Original Message-----
From: Jim Henderson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 22, 2005 8:48 AM
To: Tomcat Users List
Subject: Blocking urls
I am working on porting a WebSphere JSP application to Tomcat.
I can not seem to find a way in Tomcat to block access to valid pages
within the application. I don't want the user to access selected pages
by them typing the URL to the pages in question.
Is there a means to prevent this in Tomcat?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
