I have a tree that looks something like the following: +---ctimpact │ +---ctimpact │ │ +---CTImpact │ │ L---src │ │ L---com │ │ L---iat │ │ +---ctimpact │ │ L---utils │ +---images │ +---usr │ │ +---1000 │ │ │ +---download │ │ │ +---html │ │ │ │ L---images │ │ │ L---upload │ │ +---123 │ │ │ +---download │ │ │ L---upload │ │ +---1234567890 │ │ │ +---download │ │ │ +---html │ │ │ │ L---images │ │ │ L---upload │ │ +---145000 │ │ │ +---download │ │ │ +---html │ │ │ │ L---images │ │ │ L---upload │ │ +---145001 │ │ │ +---download │ │ │ +---html │ │ │ │ L---images │ │ │ L---upload │ │ +---test │ │ │ +---download │ │ │ +---html │ │ │ │ L---images │ │ │ L---upload │ │ L---Test14 │ │ +---download │ │ +---html │ │ │ L---images │ │ L---upload │ L---WEB-INF │ +---classes │ │ +---com │ │ │ L---iat │ │ │ +---ctimpact │ │ │ L---utils │ │ +---compressionFilters │ │ +---filters │ │ +---listeners │ │ L---util │ L---images
What I need to do is block access to anything under usr from direct access. I have turned off listings in the default servlet so it is harder to browse but if I were to put the URL http://localhost:8080/ctimpact/usr/1234567890/.properties, I would get the contents of that file. This is not acceptable. I have added the following security constraint: <security-constraint> <display-name>User Content</display-name> <web-resource-name>All user data</web-resource-name> <url-pattern>/usr/*</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> <http-method>DELETE</http-method> <auth-constraint> <role-name>not_allowed</role-name> </auth-constraint> </security-constraint> This does not seem to block access to anything under the /usr branch. If I use the URL above, my filter is not called. I'm having a hard time locating information I need in either the docs or books. Any help would be appreciated. Robert S. Harper 801.265.8800 ex. 255 > -----Original Message----- > From: QM [mailto:[EMAIL PROTECTED] > Sent: Monday, October 11, 2004 9:05 PM > To: Tomcat Users List > Subject: Re: Blocking access to static content > > On Mon, Oct 11, 2004 at 01:27:14PM -0600, Robert Harper wrote: > : I tried filters but my filters were not always called. > > It may be helpful to get to the root of why the filters weren't called. > What happened? What was in web.xml? > > Better yet, just define security-constraints in web.xml and limit access > to a role that's not assigned to anyone. > > Putting the files in WEB-INF has mixed results as far as container > portability. Furthermore, it's not really a place for content... > > -QM > > -- > > software -- http://www.brandxdev.net > tech news -- http://www.RoarNetworX.com > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
