RE: Blocking access to static content
I have a tree that looks something like the following: +---ctimpact +---ctimpact +---CTImpact L---src L---com L---iat +---ctimpact L---utils +---images +---usr +---1000 +---download +---html L---images L---upload +---123 +---download L---upload +---1234567890 +---download +---html L---images L---upload +---145000 +---download +---html L---images L---upload +---145001 +---download +---html L---images L---upload +---test +---download +---html L---images L---upload L---Test14 +---download +---html L---images L---upload L---WEB-INF +---classes +---com L---iat +---ctimpact L---utils +---compressionFilters +---filters +---listeners L---util L---images What I need to do is block access to anything under usr from direct access. I have turned off listings in the default servlet so it is harder to browse but if I were to put the URL http://localhost:8080/ctimpact/usr/1234567890/.properties, I would get the contents of that file. This is not acceptable. I have added the following security constraint: security-constraint display-nameUser Content/display-name web-resource-nameAll user data/web-resource-name url-pattern/usr/*/url-pattern http-methodGET/http-method http-methodPUT/http-method http-methodPOST/http-method http-methodDELETE/http-method auth-constraint role-namenot_allowed/role-name /auth-constraint /security-constraint This does not seem to block access to anything under the /usr branch. If I use the URL above, my filter is not called. I'm having a hard time locating information I need in either the docs or books. Any help would be appreciated. Robert S. Harper 801.265.8800 ex. 255 -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Monday, October 11, 2004 9:05 PM To: Tomcat Users List Subject: Re: Blocking access to static content On Mon, Oct 11, 2004 at 01:27:14PM -0600, Robert Harper wrote: : I tried filters but my filters were not always called. It may be helpful to get to the root of why the filters weren't called. What happened? What was in web.xml? Better yet, just define security-constraints in web.xml and limit access to a role that's not assigned to anyone. Putting the files in WEB-INF has mixed results as far as container portability. Furthermore, it's not really a place for content... -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Blocking access to static content
On Tue, Oct 12, 2004 at 09:01:04AM -0600, Robert Harper wrote: : http://localhost:8080/ctimpact/usr/1234567890/.properties, : I would get the contents of that file. This is not acceptable. So far, so good. What about putting the web-resource-name and url-pattern inside /web-resource-collection tags? That works for me: security-constraint web-resource-collection web-resource-nameSubscriber Area/web-resource-name url-pattern/access/subscriber/*/url-pattern /web-resource-collection auth-constraint role-name -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Blocking access to static content
The best way is to place all protected content under WEB-INF. -Tim Robert Harper wrote: I have turned the listings off in the default servlet. Now how do I keep users from directly accessing anything outside of the defined servlets and JSP pages even if the user knows the path to the file? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Blocking access to static content
On Mon, Oct 11, 2004 at 12:39:13PM -0600, Robert Harper wrote: : I have turned the listings off in the default servlet. Now how do I keep users : from directly accessing anything outside of the defined servlets and JSP pages : even if the user knows the path to the file? Filters, filters, filters. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Blocking access to static content
I tried filters but my filters were not always called. Robert S. Harper 801.265.8800 ex. 255 -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Monday, October 11, 2004 12:57 PM To: Tomcat Users List Subject: Re: Blocking access to static content On Mon, Oct 11, 2004 at 12:39:13PM -0600, Robert Harper wrote: : I have turned the listings off in the default servlet. Now how do I keep users : from directly accessing anything outside of the defined servlets and JSP pages : even if the user knows the path to the file? Filters, filters, filters. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Blocking access to static content
You can put all your resources (images, jsp, ..) under the WEB-INF directory. Arnaud. -Message d'origine- De : Robert Harper [mailto:[EMAIL PROTECTED] Envoyé : lundi 11 octobre 2004 21:27 À : 'Tomcat Users List' Objet : RE: Blocking access to static content I tried filters but my filters were not always called. Robert S. Harper 801.265.8800 ex. 255 -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Monday, October 11, 2004 12:57 PM To: Tomcat Users List Subject: Re: Blocking access to static content On Mon, Oct 11, 2004 at 12:39:13PM -0600, Robert Harper wrote: : I have turned the listings off in the default servlet. Now how do I keep users : from directly accessing anything outside of the defined servlets and JSP pages : even if the user knows the path to the file? Filters, filters, filters. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] #== gPopper Menu ===# Delete from Gmail inbox: mailto:del|[EMAIL PROTECTED] Mark message as unread:mailto:unr|[EMAIL PROTECTED] Mark message as read: mailto:rea|[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Blocking access to static content
On Mon, Oct 11, 2004 at 01:27:14PM -0600, Robert Harper wrote: : I tried filters but my filters were not always called. It may be helpful to get to the root of why the filters weren't called. What happened? What was in web.xml? Better yet, just define security-constraints in web.xml and limit access to a role that's not assigned to anyone. Putting the files in WEB-INF has mixed results as far as container portability. Furthermore, it's not really a place for content... -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]