> By the way, do you think that it's best to have the protected files on > my Apache server with HTTP Authentication with a login/pass what Tomcat > is aware of so Tomcat can get the resource and then send it to the user > or is it better to have the files inside WEB/INF for example? I have > both Apache and Tomcat running on the same machine.
You shouldn't really be involving apache, unless you want to use HTTP authentication and have apache and tomcat individually configured for this. I personally would be using my own authentication (Form-based) and serve files after approval. You can choose not to put the files under the tomcat context. If you do NOT put the files under the context of your webapp, tomcat will silently refuse to serve them (IIRC). This involves a little bit of messing with the security manager, but it shouldn't be too big a deal. Check out conf/catalina.policy and also http://localhost:8080/tomcat-docs/security-manager-howto.html if you have the docs still installed (otherwise that doc should be on the jakarta site). If I am completely wrong here I hope someone will step up and correct me. fillup On 5/31/02 5:08 AM, "Markus Kirsten" <[EMAIL PROTECTED]> wrote: > Thank you. This was exactly what I was looking for. I thought that by > opening a file for a servlet and then returning it like a stream to the > client whould take too much resources but it also seemed like the only > way I could whink of except for some kind of HTTP Authentication. But I > haven't seen any packages out there that can verify a user with HTTP > Authentication and then use som kind of RequestDispatcher. > > By the way, do you think that it's best to have the protected files on > my Apache server with HTTP Authentication with a login/pass what Tomcat > is aware of so Tomcat can get the resource and then send it to the user > or is it better to have the files inside WEB/INF for example? I have > both Apache and Tomcat running on the same machine. > > > Markus > > > On Friday, May 31, 2002, at 11:03 AM, Phillip Morelock wrote: > >>> What would be the best sollution if I have resources (non-HTML like >>> movies etc.) which I want to protect with a custom made authentication? >> >> use Servlets. >> >> serve binary data as the output stream instead of text/html . >> >> You can authenticate and do all your other "ok, is this person >> authorized, >> what is the filename" etc., and then serve the headers and the file. >> >> If you're interested in security, definitely do not have any part of the >> filename as a request parameter -- look up the filename in the database. >> >> There are packages that implement the raw binary serving in a >> rudimentary >> way, I'm thinking specifically: >> http://www.servlets.com/cos/index.html >> >> see the ServletUtils.returnFile method...this should get you started. >> >> Be sure to read the license before using or looking at this code. >> >> cheers >> fillup > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
