How to protect static HTML's
Dear Tomcat List, I am facing the following problem. We have some static html files in our Servlet/JSP project which reside in a separate directory and we want to restrict the access to them both from within the project and by typing the URL directly in the browser. The rules of accesing them are: if an user is not logged in our app, he cannot access any of them and if he is logged in, he can access only those files/folders to which he has permmissions. Given the path (URL) of one of those html files I can determine if the logged user has the rights to see it. So I wrote a servlet to check the rights and I added the following entiries in web.xml: servlet servlet-nameCoursesPermissionController/servlet-name servlet-classarcade.security.CoursesPermissionController/servlet-class /servlet servlet-mapping servlet-nameCoursesPermissionController/servlet-name url-pattern/jsp/ccim/Courses/*/url-pattern /servlet-mapping where /jsp/ccim/Courses/* is the directory where the html files reside and CoursesPermissionController is the servlet which desides whether the user has rights. In its doGet I determine according the URL and the logged user whether he can see it: public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String requestURI = request.getRequestURI(); String contextPath = request.getContextPath(); HttpSession currentSession = getSession(request); long loggedUserID = WebBean.getLoggedUserID(currentSession); if (loggedUserID == -1) { //User is not logged forward(/jsp/ccim/accessdenied.jsp, request, response); } else { try { //Pseudocode to save space boolean isPermitted = checkAccording(requestURI, loggedUserID ); if (isPermitted) { int l = contextPath.length(); String forwardPath = requestURI.substring(l); //The user has rights, so forward to the original request URL forward(forwardPath, request, response); } else { forward(/jsp/ccim/norights.jsp, request, response); } } catch (Exception e) { e.printStackTrace(); forward(/jsp/ErrorPage.jsp, request, response); } } } and here is forward method: private void forward(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { RequestDispatcher dispatcher = request.getRequestDispatcher(path); dispatcher.include(request, response); } The problem is that when the user has the rights i am forwarding it to the same URL, then the servlet is invoked again, the user is checked again, forwarded agian in an endless recursion (or till StackOverflowException). My questions are: 1) can I implement the restrictions in a similar way by invoking a servlet when a protected URL is requested. 2) are there clearer ways to do it. I read in Servlet2.3 Specifiaction for filters and authenticating filters, but I think that I will end with endless recursing also. Moreover, i couldn't find a suitable filter example. Up to know I workarounded the problem with this method: private void dump(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext context = getServletContext(); String realPath = context.getRealPath(path); BufferedReader br = new BufferedReader(new FileReader(realPath)); PrintWriter out = response.getWriter(); String line = ; while ((line = br.readLine()) != null) { out.println(line); } } instead this lines //The user has rights, so forward to the original request URL forward(forwardPath, request, response); I use //The user has rights, so forward to the original request URL dump(forwardPath, request, response); I also thought to transform the htmls in jsp's and check for rights at the top of each jsp, but the requirements say they must be htmls. Thank you for your efforts. I will appreciate any idea. Greetings Ivan Ivanov __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to protect static HTML's
Use struts and move all of your JSP and html pages to WEB-INF. Any reference to a page change to a struts mapping then in the action class you can check if the user has rights and if they do forward to the page. Regards Jim. -Original Message- From: Ivan Ivanov [mailto:[EMAIL PROTECTED] Sent: 25 June 2003 17:04 To: [EMAIL PROTECTED] Subject: How to protect static HTML's Dear Tomcat List, I am facing the following problem. We have some static html files in our Servlet/JSP project which reside in a separate directory and we want to restrict the access to them both from within the project and by typing the URL directly in the browser. The rules of accesing them are: if an user is not logged in our app, he cannot access any of them and if he is logged in, he can access only those files/folders to which he has permmissions. Given the path (URL) of one of those html files I can determine if the logged user has the rights to see it. So I wrote a servlet to check the rights and I added the following entiries in web.xml: servlet servlet-nameCoursesPermissionController/servlet-name servlet-classarcade.security.CoursesPermissionController/servlet-class /servlet servlet-mapping servlet-nameCoursesPermissionController/servlet-name url-pattern/jsp/ccim/Courses/*/url-pattern /servlet-mapping where /jsp/ccim/Courses/* is the directory where the html files reside and CoursesPermissionController is the servlet which desides whether the user has rights. In its doGet I determine according the URL and the logged user whether he can see it: public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String requestURI = request.getRequestURI(); String contextPath = request.getContextPath(); HttpSession currentSession = getSession(request); long loggedUserID = WebBean.getLoggedUserID(currentSession); if (loggedUserID == -1) { //User is not logged forward(/jsp/ccim/accessdenied.jsp, request, response); } else { try { //Pseudocode to save space boolean isPermitted = checkAccording(requestURI, loggedUserID ); if (isPermitted) { int l = contextPath.length(); String forwardPath = requestURI.substring(l); //The user has rights, so forward to the original request URL forward(forwardPath, request, response); } else { forward(/jsp/ccim/norights.jsp, request, response); } } catch (Exception e) { e.printStackTrace(); forward(/jsp/ErrorPage.jsp, request, response); } } } and here is forward method: private void forward(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { RequestDispatcher dispatcher = request.getRequestDispatcher(path); dispatcher.include(request, response); } The problem is that when the user has the rights i am forwarding it to the same URL, then the servlet is invoked again, the user is checked again, forwarded agian in an endless recursion (or till StackOverflowException). My questions are: 1) can I implement the restrictions in a similar way by invoking a servlet when a protected URL is requested. 2) are there clearer ways to do it. I read in Servlet2.3 Specifiaction for filters and authenticating filters, but I think that I will end with endless recursing also. Moreover, i couldn't find a suitable filter example. Up to know I workarounded the problem with this method: private void dump(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext context = getServletContext(); String realPath = context.getRealPath(path); BufferedReader br = new BufferedReader(new FileReader(realPath)); PrintWriter out = response.getWriter(); String line = ; while ((line = br.readLine()) != null) { out.println(line); } } instead this lines //The user has rights, so forward to the original request URL forward(forwardPath, request, response); I use //The user has rights, so forward to the original request URL dump(forwardPath, request, response); I also thought to transform the htmls in jsp's and check for rights at the top of each jsp, but the requirements say they must be htmls. Thank you for your efforts. I will appreciate any idea. Greetings Ivan Ivanov __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] PLEASE READ: The information contained
Re: How to protect static HTML's
Ivan -- You're really close to getting it ... two options: (1) Keep your servlet the way it is. Add a request attribute (req.setAttribute()) during your security check if the security check finishes successfully. Check for this attribute before doing the security check again. Think of this as your break case for a recursive method call. (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. If you're going to continue developing functionality like this, invest the time and go with #2. If not, I'd take #1. justin At 09:03 AM 6/25/2003, you wrote: Dear Tomcat List, I am facing the following problem. We have some static html files in our Servlet/JSP project which reside in a separate directory and we want to restrict the access to them both from within the project and by typing the URL directly in the browser. The rules of accesing them are: if an user is not logged in our app, he cannot access any of them and if he is logged in, he can access only those files/folders to which he has permmissions. Given the path (URL) of one of those html files I can determine if the logged user has the rights to see it. So I wrote a servlet to check the rights and I added the following entiries in web.xml: servlet servlet-nameCoursesPermissionController/servlet-name servlet-classarcade.security.CoursesPermissionController/servlet-class /servlet servlet-mapping servlet-nameCoursesPermissionController/servlet-name url-pattern/jsp/ccim/Courses/*/url-pattern /servlet-mapping where /jsp/ccim/Courses/* is the directory where the html files reside and CoursesPermissionController is the servlet which desides whether the user has rights. In its doGet I determine according the URL and the logged user whether he can see it: public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String requestURI = request.getRequestURI(); String contextPath = request.getContextPath(); HttpSession currentSession = getSession(request); long loggedUserID = WebBean.getLoggedUserID(currentSession); if (loggedUserID == -1) { //User is not logged forward(/jsp/ccim/accessdenied.jsp, request, response); } else { try { //Pseudocode to save space boolean isPermitted = checkAccording(requestURI, loggedUserID ); if (isPermitted) { int l = contextPath.length(); String forwardPath = requestURI.substring(l); //The user has rights, so forward to the original request URL forward(forwardPath, request, response); } else { forward(/jsp/ccim/norights.jsp, request, response); } } catch (Exception e) { e.printStackTrace(); forward(/jsp/ErrorPage.jsp, request, response); } } } and here is forward method: private void forward(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { RequestDispatcher dispatcher = request.getRequestDispatcher(path); dispatcher.include(request, response); } The problem is that when the user has the rights i am forwarding it to the same URL, then the servlet is invoked again, the user is checked again, forwarded agian in an endless recursion (or till StackOverflowException). My questions are: 1) can I implement the restrictions in a similar way by invoking a servlet when a protected URL is requested. 2) are there clearer ways to do it. I read in Servlet2.3 Specifiaction for filters and authenticating filters, but I think that I will end with endless recursing also. Moreover, i couldn't find a suitable filter example. Up to know I workarounded the problem with this method: private void dump(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext context = getServletContext(); String realPath = context.getRealPath(path); BufferedReader br = new BufferedReader(new FileReader(realPath)); PrintWriter out = response.getWriter(); String line = ; while ((line = br.readLine()) != null) { out.println(line); } } instead this lines //The user has rights, so forward to the original request URL forward(forwardPath, request, response); I use //The user has rights, so forward to the original request URL dump(forwardPath, request, response); I also thought to transform the htmls in jsp's and check for rights at the top of each jsp, but the requirements say they must be htmls. Thank you for your efforts. I will appreciate any idea. Greetings Ivan Ivanov
RE: How to protect static HTML's
Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to protect static HTML's
-Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:53 PM To: Tomcat Users List Subject: RE: How to protect static HTML's Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to protect static HTML's
If you configure it to do so. -Tim Shapira, Yoav wrote: Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Yoav Shapira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to protect static HTML's
Mike Curwen wrote: -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:53 PM To: Tomcat Users List Subject: RE: How to protect static HTML's Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. Something like that: (with Servlet 2.4 SRV.6.2.5) filter-mapping filter-nameFilterTest/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher dispatcherINCLUDE/dispatcher dispatcherFORWARD/dispatcher dispatcherERROR/dispatcher /filter-mapping -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to protect static HTML's
At 10:57 AM 6/25/2003, you wrote: -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:53 PM To: Tomcat Users List Subject: RE: How to protect static HTML's Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. See SRV.6.2.5 -- The xml tag is dispatcher[INCLUDE,FORWARD,REQUEST]/dispatcher justin Justin Ruthenbeck Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential See http://www.nextengine.com/confidentiality.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to protect static HTML's
Howdy, I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. It's the new dispatcher element, documented in SRV.6.2.5 of the Servlet Specification v2.4 PFD 3. Like I said, it may break. If you properly configure the server, the filtering approach will likely be fine. But it's something to keep in mind going forward. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to protect static HTML's
Aren't those new keywords in the 2.2 servlet spec? They don't do any good for anyone who uses Tomcat 4.1.24 or earlier. Right? --- Justin Ruthenbeck [EMAIL PROTECTED] wrote: At 10:57 AM 6/25/2003, you wrote: -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:53 PM To: Tomcat Users List Subject: RE: How to protect static HTML's Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. See SRV.6.2.5 -- The xml tag is dispatcher[INCLUDE,FORWARD,REQUEST]/dispatcher justin Justin Ruthenbeck Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential See http://www.nextengine.com/confidentiality.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to protect static HTML's
Oops, I meant serlvet spec 2.4. --- Jean-Francois Arcand [EMAIL PROTECTED] wrote: Mike Curwen wrote: -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:53 PM To: Tomcat Users List Subject: RE: How to protect static HTML's Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. Something like that: (with Servlet 2.4 SRV.6.2.5) filter-mapping filter-nameFilterTest/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher dispatcherINCLUDE/dispatcher dispatcherFORWARD/dispatcher dispatcherERROR/dispatcher /filter-mapping -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to protect static HTML's
At 11:12 AM 6/25/2003, you wrote: Aren't those new keywords in the 2.4 servlet spec? They don't do any good for anyone who uses Tomcat 4.1.24 or earlier. Right? Yes, that's correct. Yoav's point was that if you go with Filters in Tomcat 4.x (Servlet 2.3), you may have to change your configurations when you eventually upgrade to Tomcat 5.x (Servlet 2.4). To be clear: For Tomcat 4.x, Filters are only run when a request comes to the container. For Tomcat 5.x, Filters are configurable to run at any or all of request-time, forward-time, and include-time -- depending on the Servlet2.4 dispatcher element. justin --- Justin Ruthenbeck [EMAIL PROTECTED] wrote: At 10:57 AM 6/25/2003, you wrote: -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:53 PM To: Tomcat Users List Subject: RE: How to protect static HTML's Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. See SRV.6.2.5 -- The xml tag is dispatcher[INCLUDE,FORWARD,REQUEST]/dispatcher justin Justin Ruthenbeck Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential See http://www.nextengine.com/confidentiality.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Justin Ruthenbeck Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential See http://www.nextengine.com/confidentiality.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to protect static HTML's
Right. The mechanism is only supported in Tomcat 5 since it is in Servlet 2.4 -- Jeanfrancois Michael Duffy wrote: Aren't those new keywords in the 2.2 servlet spec? They don't do any good for anyone who uses Tomcat 4.1.24 or earlier. Right? --- Justin Ruthenbeck [EMAIL PROTECTED] wrote: At 10:57 AM 6/25/2003, you wrote: -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:53 PM To: Tomcat Users List Subject: RE: How to protect static HTML's Howdy, (2) Use filters. All filters set for a particular request are run *once* on an incoming request. If you do a RequestDispatcher.forward(), the filters will not be run again -- and you won't have recursion. I wouldn't suggest that option, as it may break when the Servlet Specification v2.4 will be different. Filters will run on the same request through RequestDispatcher.forward. Only when you specify that they are to be run that way. You can specify that they only be run on incoming requests, on forwards or on includes (and any combination of those). There are constants for these, but I forget what they are. See SRV.6.2.5 -- The xml tag is dispatcher[INCLUDE,FORWARD,REQUEST]/dispatcher justin Justin Ruthenbeck Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential See http://www.nextengine.com/confidentiality.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]