Re: Controlling access to static content

[Ernie V]

The simplest way to solve this problem is to create a servlet that is mapped to the directory that you want to protect. Then, when a request is intercepted by the servlet, create or get a session and check to see if it is new. If it is new, then redirect the request to a login page, if not, then return the originally requested page. The logic here is that; assuming a session can only be obtained by logging in, then, if a session is new, then it was never obtained in the first place. If the session is not new, then the user must have logged in and should have access to the resource.

-ernie

Robin Meade wrote:

Hi, I'd like to re-visit the subject of how to control access to
static content so that only members with sufficient access rights
can view it.

Back on Sep 2, Filippos Slavik, initiated a thread
on this subject with this post:
http://archives.java.sun.com/cgi-bin/wa?A2=ind9909&L=servlet-interest&P=11988

Excerpt:

  I know how to write a login servlet that authenticates users
  and on successful login, this very servlet redirects to
  "other servlets". Of course when a "evil" user manually
  points his browser to the "other servlets", without passing
  through the login servlet, the "other servlets" redirects the
  user to the login user. This is understood and I have no
  problem. My situation is somehow different: I have a customer
  with a running http server. His site is 100% static pages
  based. He want's to add membership feature to his site. My
  first thought was to create a login servlet, which on
  successful login would redirect to his html files. On a
  second though this completely illegal, since a "evil" user
  could point directly his browser to the static html files. I
  think the solution would be easy, if i could force his http
  server on each file access to pass this request through a
  servlet (for example a fileaccess?URL=<file URL>).

Replies suggested creating a servlet mapped to the / alias. All
requests then pass through this servlet. The requested document
appears to the servlet as Path Info. The servlet would perform
its security checks and then, if OK, would open an input stream
on the requested static file and copy it onto the response's
output stream. It would also be responsible for setting the HTTP
response headers appropriately, such as content-type and content-
length. Ideally it would also handle if-last-modified
appropriately.

But since the leading servlet engines integrate with native http
servers whose strength is the efficient handling of static
content, I'm wondering if the servlet, after checking security,
can simply forward the request to the native http server.
Wouldn't this offer higher performance? (As well as avoid the
effort of duplicating functionality?)

Ideally, I'd like to tell the native http server that it should
filter static file requests matching some pattern, say
"/protected/*.pdf", through an authorization servlet. Such
requests would be examined for sufficient access rights in the
authorization servlet's doGet method:

protected void doGet(HttpServletRequest req,
    HttpServletResponse res) {

  // declarations skipped

  hasLoggedOn = // .. figure it out
  if (!hasLoggedOn) {
    req.setAttribute("requested-page", req.getPathInfo());
    sc.getRequestDispatcher("/login.jsp").forward(req, res);
    return;
  }

  hasAccessRights = // .. figure it out
  if (!hasAccessRights) {
    req.setAttribute("requested-page", req.getPathInfo());
    sc.getRequestDispatcher("/denied.jsp").forward(req, res)
    return;
  }

  /* User has sufficient access rights */
  req.setAttribute("authorization-filter-response", "OK");
  return;
}

If the authorization servlet determines that the user has not
logged-in or had insufficient access rights, the servlet would
forward to a login form or access denied page.

If, on the other hand, the user does has sufficient access
rights, the servlet would indicate this by setting a request
attribute and return without sending any response. At this point
control would return to the servlet engine (not sure about this
part) which inspects the request attribute, sees that it
successful passed through the filter, and instructs the native
http server to efficiently fulfill the static file request.

Basically, I want access-control logic implemented by servlets
for both dynamic and static content. But, for static content, I
want the servlet to somehow forward approved requests to the
native http server because handling static content is its
strength.

Note, that in the case of a pure java web server/servlet engine,
such as Sun's JWS, the equivalent to what I've been calling the
"native http server" would be JWS's FileServlet - its job is to
handle static files.

Is there a way to do this?

What made me think about this is Philip Greenspun's book on web
publishing:
http://photo.net/wtr/thebook/server-programming.html
(See Example 2: Customizing Access) In this example, he shows how
he can register an authorization filter script (written in TCL)
that the web server executes before each request that matches a
specified pattern. I want something similar with Java servlets.

Any comments/ideas would be greatly appreciated.

Thanks,
Robin Meade

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html