Tomcat/Apache web server communication

2003-11-28 Thread Ivan Ivanov 
Dear colleagues,

Please help in the following situation.
We are cuurently developing a web application based on
Tomcat4.1. Thus web app allows a user to upload files
and folders in a subdirectory of its context, so that
the content of these folders be viewed or retrieved by
other users. The folders can contain static html
pages, jpgs, zip files, etc. However, a user has
uploaded some large video files, that create problems
when played through internet and place unnecessary
burden and the web app hangs or behaves badly.
As a solution, I decided to install Apache Web Server
and move these static files in Apache, so that Apache
will serve the static content. (Installation of Apache
and mod_jk2 connector is OK). 
However, the subdirectory in the webapp conext in
which reside the uploaded files and folders is a
restricted  area. When an user wants to access a
file in it, a filter (extends javax.servlet.Filter) is
invoked and checks according to some rules if the user
has enough rights and if so gives him the requested
resource.
My question is, if I move the subdirectory with the
uploaded files in Apache Web Server, how should I
configure Apache so that it can be reached only from
Tomcat and only when the filter permits?

In short if we have 
1) the url of ourwebapp is
http://somehost:8080/ourwebapp, 
2)the directory with uploaded stuff is uploaddir and
is accessed by
http://somehost:8080/ourwebapp/uploaddir
3) every time a user tries to access
http://somehost:8080/ourwebapp/uploaddir/somefolder/somefile
the filter checks his rights,
and we move uploaddir and its contents in Apache, how
should I set up Apache and eventually the filter?

Thanks in advance for your help.
Kind Regards Ivan Ivanov

__
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

How to protect static HTML's

2003-06-25 Thread Ivan Ivanov 
Dear Tomcat List,
I am facing the following problem. We have some static
html files in our Servlet/JSP project which reside in
a separate directory and we want to restrict the
access to them both from within the project and by
typing the URL directly in the browser. The rules of
accesing them are: if an user is not logged in our
app, he cannot access any of them and if he is logged
in, he can access only those files/folders to which he
has permmissions. Given the path (URL) of one of those
html files I can determine if the logged user has the
rights to see it.
So I wrote a servlet to check the rights and I added
the following entiries in web.xml:
 
servlet
   
servlet-nameCoursesPermissionController/servlet-name
   
servlet-classarcade.security.CoursesPermissionController/servlet-class
/servlet
servlet-mapping
   
servlet-nameCoursesPermissionController/servlet-name
url-pattern/jsp/ccim/Courses/*/url-pattern
/servlet-mapping
 
where /jsp/ccim/Courses/* is the directory where the
html files reside and CoursesPermissionController is
the servlet which desides whether the user has rights.
In its doGet I determine according the URL and the
logged user whether he can see it:
 
 public void doGet(HttpServletRequest request,
HttpServletResponse response)
  throws IOException, ServletException {
String requestURI =
request.getRequestURI();
String contextPath =
request.getContextPath();
  HttpSession currentSession =
getSession(request);
long loggedUserID =
WebBean.getLoggedUserID(currentSession);
if (loggedUserID == -1) {
//User is not logged
 forward(/jsp/ccim/accessdenied.jsp,
request, response);
}
else {
try {
//Pseudocode to save space
   boolean isPermitted = checkAccording(requestURI,
loggedUserID );
if (isPermitted) {
int l = contextPath.length();
String forwardPath =
requestURI.substring(l);
//The user has rights, so forward to the original
request URL
 forward(forwardPath, request,
response);
} else {
 forward(/jsp/ccim/norights.jsp,
request, response);
}
} catch (Exception e) {
 e.printStackTrace();
forward(/jsp/ErrorPage.jsp, request,
response);
}
}
}
 
and here is forward method:
private void forward(String path,
HttpServletRequest request, HttpServletResponse
response)
  throws ServletException, IOException {
RequestDispatcher dispatcher =
request.getRequestDispatcher(path);
dispatcher.include(request, response);
}
The problem is that when the user has the rights i am
forwarding it to the same URL, then the servlet is
invoked again, the user is checked again, forwarded
agian in an endless recursion (or till
StackOverflowException).
 
My questions are:
1) can I implement the restrictions in a similar way
by invoking a servlet when a protected URL is
requested.
2) are there clearer ways to do it. I read in
Servlet2.3 Specifiaction for filters and
authenticating filters, but I think that I will end
with endless recursing also. Moreover, i couldn't find
a suitable filter example.
 
Up to know I workarounded the problem with this
method:
private void dump(String path, HttpServletRequest
request, HttpServletResponse response)
  throws ServletException, IOException {
 ServletContext context = getServletContext();
 String realPath = context.getRealPath(path);
 BufferedReader br = new BufferedReader(new
FileReader(realPath));
 PrintWriter out = response.getWriter();
 String line = ;
 while ((line = br.readLine()) != null) {
 out.println(line);
 }
}
instead this lines
//The user has rights, so forward to the original
request URL
 forward(forwardPath, request,
response);
I use
//The user has rights, so forward to the original
request URL
 dump(forwardPath, request, response);
 
I also thought to transform the htmls in jsp's and
check for rights at the top of each jsp, but the
requirements say they must be htmls.
 
Thank you for your efforts. I will appreciate any
idea.
 
Greetings Ivan Ivanov

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]