RE: Blocking urls
Hi, I am also looking for a way to block access to the valid pages. Can you give a brief explanation on how would you use the filter to block? I am thinking to use the web.xml to set the privilege for each user. Thank you in advance, Kam Tomcat Users List tomcat-user@jakarta.apache.org wrote: I am also looking for a way to block access for administrator pages. Could you fill me in also? Thanks, Robyne -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Thursday, June 23, 2005 7:49 AM To: Tomcat Users List Subject: RE: Blocking urls Found a solution: using filters to block direct access to the Web pages. -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 8:48 AM To: Tomcat Users List Subject: Blocking urls I am working on porting a WebSphere JSP application to Tomcat. I can not seem to find a way in Tomcat to block access to valid pages within the application. I don't want the user to access selected pages by them typing the URL to the pages in question. Is there a means to prevent this in Tomcat? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how do i restrict servlet access? / blocking URLs
Hi Jim, Thanks-- I just looked at using a filter as a solution, but there seems to be a problem. I want the servlet in webapp A to be able to dispatch to B but not a user. The problem is the filter will block all requests including the dispatch from A. I need a way to somehow ensure that A can invoke servlet B in web app B but not a user navigating directly... any ideas are greatly appreciated. Actually one question would be how to create a filter that allows incoming requests from that same machine but not IP's outside of it I guess? Thanks, Jason Jim Henderson wrote: Take a look at yesterdays (6/23 5:02 PM) posting Blocking urls. That should help. -Original Message- From: Jason Novotny [mailto:[EMAIL PROTECTED] Sent: Thursday, June 23, 2005 10:13 PM To: tomcat-user@jakarta.apache.org Subject: how do i restrict servlet access? Hi, I have a webapp A that uses cross-context to dispatch requests to webapp B. However, I want users to have to go thru webapp A and the mapping I set in web.xml. How do I restrict access so only webapp A can invoke B's servlet but B should be inaccessible to users navigation. Is there something I can set in the web.xml of B or would I need to modify server.xml as a site wide configuration? Thanks, Jason - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how do i restrict servlet access? / blocking URLs
You could literally examine the IP of the incoming request (look at ServletRequest object), or you could have A set some sort of flag in request to indicate to the filter to let the request through regardless. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Fri, June 24, 2005 2:32 pm, Jason Novotny said: Hi Jim, Thanks-- I just looked at using a filter as a solution, but there seems to be a problem. I want the servlet in webapp A to be able to dispatch to B but not a user. The problem is the filter will block all requests including the dispatch from A. I need a way to somehow ensure that A can invoke servlet B in web app B but not a user navigating directly... any ideas are greatly appreciated. Actually one question would be how to create a filter that allows incoming requests from that same machine but not IP's outside of it I guess? Thanks, Jason Jim Henderson wrote: Take a look at yesterdays (6/23 5:02 PM) posting Blocking urls. That should help. -Original Message- From: Jason Novotny [mailto:[EMAIL PROTECTED] Sent: Thursday, June 23, 2005 10:13 PM To: tomcat-user@jakarta.apache.org Subject: how do i restrict servlet access? Hi, I have a webapp A that uses cross-context to dispatch requests to webapp B. However, I want users to have to go thru webapp A and the mapping I set in web.xml. How do I restrict access so only webapp A can invoke B's servlet but B should be inaccessible to users navigation. Is there something I can set in the web.xml of B or would I need to modify server.xml as a site wide configuration? Thanks, Jason - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: how do i restrict servlet access? / blocking URLs
Sorry, I am no expert. I felt lucky to get the URL blocking solved. I don't have experience for what your doing. I just thought it might lead to something and could be adapted to your needs. Good luck -Original Message- From: Jason Novotny [mailto:[EMAIL PROTECTED] Sent: Friday, June 24, 2005 1:32 PM To: Tomcat Users List Cc: [EMAIL PROTECTED] Subject: Re: how do i restrict servlet access? / blocking URLs Hi Jim, Thanks-- I just looked at using a filter as a solution, but there seems to be a problem. I want the servlet in webapp A to be able to dispatch to B but not a user. The problem is the filter will block all requests including the dispatch from A. I need a way to somehow ensure that A can invoke servlet B in web app B but not a user navigating directly... any ideas are greatly appreciated. Actually one question would be how to create a filter that allows incoming requests from that same machine but not IP's outside of it I guess? Thanks, Jason Jim Henderson wrote: Take a look at yesterdays (6/23 5:02 PM) posting Blocking urls. That should help. -Original Message- From: Jason Novotny [mailto:[EMAIL PROTECTED] Sent: Thursday, June 23, 2005 10:13 PM To: tomcat-user@jakarta.apache.org Subject: how do i restrict servlet access? Hi, I have a webapp A that uses cross-context to dispatch requests to webapp B. However, I want users to have to go thru webapp A and the mapping I set in web.xml. How do I restrict access so only webapp A can invoke B's servlet but B should be inaccessible to users navigation. Is there something I can set in the web.xml of B or would I need to modify server.xml as a site wide configuration? Thanks, Jason - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how do i restrict servlet access? / blocking URLs
you can use a Remote Host or Address Filter for webapp B that only allows localhost or whatever server webapp A runs on: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/valve.html something like this: Context of webapp B Valve className=org.apache.catalina.valves.RemoteAddrValve allow=ip of webapp A / /Context -Lou --- Jason Novotny [EMAIL PROTECTED] wrote: Hi Jim, Thanks-- I just looked at using a filter as a solution, but there seems to be a problem. I want the servlet in webapp A to be able to dispatch to B but not a user. The problem is the filter will block all requests including the dispatch from A. I need a way to somehow ensure that A can invoke servlet B in web app B but not a user navigating directly... any ideas are greatly appreciated. Actually one question would be how to create a filter that allows incoming requests from that same machine but not IP's outside of it I guess? Thanks, Jason Jim Henderson wrote: Take a look at yesterdays (6/23 5:02 PM) posting Blocking urls. That should help. -Original Message- From: Jason Novotny [mailto:[EMAIL PROTECTED] Sent: Thursday, June 23, 2005 10:13 PM To: tomcat-user@jakarta.apache.org Subject: how do i restrict servlet access? Hi, I have a webapp A that uses cross-context to dispatch requests to webapp B. However, I want users to have to go thru webapp A and the mapping I set in web.xml. How do I restrict access so only webapp A can invoke B's servlet but B should be inaccessible to users navigation. Is there something I can set in the web.xml of B or would I need to modify server.xml as a site wide configuration? Thanks, Jason - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Blocking urls
Found a solution: using filters to block direct access to the Web pages. -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 8:48 AM To: Tomcat Users List Subject: Blocking urls I am working on porting a WebSphere JSP application to Tomcat. I can not seem to find a way in Tomcat to block access to valid pages within the application. I don't want the user to access selected pages by them typing the URL to the pages in question. Is there a means to prevent this in Tomcat? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Blocking urls
Hi Jim, I'm looking for a way to do this as well. Can you let me know how you managed it or point me in the right direction? Thanks in advance -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: 23 June 2005 14:49 To: Tomcat Users List Subject: RE: Blocking urls Found a solution: using filters to block direct access to the Web pages. -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 8:48 AM To: Tomcat Users List Subject: Blocking urls I am working on porting a WebSphere JSP application to Tomcat. I can not seem to find a way in Tomcat to block access to valid pages within the application. I don't want the user to access selected pages by them typing the URL to the pages in question. Is there a means to prevent this in Tomcat? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Blocking urls
I am also looking for a way to block access for administrator pages. Could you fill me in also? Thanks, Robyne -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Thursday, June 23, 2005 7:49 AM To: Tomcat Users List Subject: RE: Blocking urls Found a solution: using filters to block direct access to the Web pages. -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 8:48 AM To: Tomcat Users List Subject: Blocking urls I am working on porting a WebSphere JSP application to Tomcat. I can not seem to find a way in Tomcat to block access to valid pages within the application. I don't want the user to access selected pages by them typing the URL to the pages in question. Is there a means to prevent this in Tomcat? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
FW: Blocking urls
-Original Message-
From: Scott Waldner [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 23, 2005 4:00 PM
To: tomcat-user@jakarta.apache.org
Subject: RE: Blocking urls
Here is how we solved this problem using filters. This was tested on Tomcat
5.5.9 and WebSphere 6.0.
A 404 error is the standard error thrown from the web container when a
non-existent resource is requested. My goal was to send a 404 error when
these restricted resources were requested, so from a user's point of view
they cannot tell the difference between these restricted resources and any
other non-existent resource. As a follow on to this, I present the user
with a custom error page rather than the browser's default 404 error page.
The first thing to do is define the filter in the web.xml as follows:
filter
filter-nameRestrictedUrls/filter-name
display-nameRestrictedUrls/display-name
filter-classmypackage.RestrictedUrls/filter-class
/filter
...
filter-mapping
filter-nameRestrictedUrls/filter-name
!-- Specify your restricted resources here.
I restrict everything in the jsp directory
from being accessed directly. --
url-pattern/jsp/*/url-pattern
/filter-mapping
Here is the RestrictedUrls class:
--
package mypackage;
import java.io.IOException;
import javax.servlet.*;
public class RestrictedUrls implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest req,
ServletResponse resp,
FilterChain chain)
throws ServletException, IOException {
req.getRequestDispatcher(/404.jsp).forward(req, resp);
// Note: if you wanted to just send a 404 (page not found)
to
// to the browser rather than showing a custom error page, I
// assume you could do the following instead of the above.
// This worked on WebSphere, didn't try it on Tomcat yet.
// This may actually be the more elegant solution, because
you
// can define your error page in the web.xml rather than in
// the application code.
// ((HttpServletResponse)resp).sendError(404);
}
public void init(FilterConfig config) throws ServletException {
}
}
--
The final thing to do is define the custom error page for the 404 error.
This is optional, since you don't have to have an error page. You do this
in the web.xml file.
error-page
error-code404/error-code
location/404.jsp/location
/error-page
I don't show the 404.jsp page here since that is standard jsp/html stuff.
This works great on most browsers, but I should point out that there is a
problem in IE because it will always display it's own error page when a 404
error is sent. The user will be blocked from the restricted resources (a
good thing) but they will be shown the IE 404 error page instead. That is a
different topic, but I did find a solution to that problem using filters if
anyone is interested.
Scott Waldner
Software Engineer
Metafile Information Systems, Inc.
-Original Message-
From: Jim Henderson [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 23, 2005 7:49 AM
To: Tomcat Users List
Subject: RE: Blocking urls
Found a solution: using filters to block direct access to the Web
pages.
-Original Message-
From: Jim Henderson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 22, 2005 8:48 AM
To: Tomcat Users List
Subject: Blocking urls
I am working on porting a WebSphere JSP application to Tomcat.
I can not seem to find a way in Tomcat to block access to valid pages
within the application. I don't want the user to access selected pages
by them typing the URL to the pages in question.
Is there a means to prevent this in Tomcat?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Blocking urls
I am working on porting a WebSphere JSP application to Tomcat. I can not seem to find a way in Tomcat to block access to valid pages within the application. I don't want the user to access selected pages by them typing the URL to the pages in question. Is there a means to prevent this in Tomcat? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
