Dear Tomcat List, I am facing the following problem. We have some static html files in our Servlet/JSP project which reside in a separate directory and we want to restrict the access to them both from within the project and by typing the URL directly in the browser. The rules of accesing them are: if an user is not logged in our app, he cannot access any of them and if he is logged in, he can access only those files/folders to which he has permmissions. Given the path (URL) of one of those html files I can determine if the logged user has the rights to see it. So I wrote a servlet to check the rights and I added the following entiries in web.xml: <servlet> <servlet-name>CoursesPermissionController</servlet-name> <servlet-class>arcade.security.CoursesPermissionController</servlet-class> </servlet> <servlet-mapping> <servlet-name>CoursesPermissionController</servlet-name> <url-pattern>/jsp/ccim/Courses/*</url-pattern> </servlet-mapping> where /jsp/ccim/Courses/* is the directory where the html files reside and CoursesPermissionController is the servlet which desides whether the user has rights. In its doGet I determine according the URL and the logged user whether he can see it: public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String requestURI = request.getRequestURI(); String contextPath = request.getContextPath(); HttpSession currentSession = getSession(request); long loggedUserID = WebBean.getLoggedUserID(currentSession); if (loggedUserID == -1) { //User is not logged forward("/jsp/ccim/accessdenied.jsp", request, response); } else { try { //Pseudocode to save space boolean isPermitted = checkAccording(requestURI, loggedUserID ); if (isPermitted) { int l = contextPath.length(); String forwardPath = requestURI.substring(l); //The user has rights, so forward to the original request URL forward(forwardPath, request, response); } else { forward("/jsp/ccim/norights.jsp", request, response); } } catch (Exception e) { e.printStackTrace(); forward("/jsp/ErrorPage.jsp", request, response); } } } and here is forward method: private void forward(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { RequestDispatcher dispatcher = request.getRequestDispatcher(path); dispatcher.include(request, response); } The problem is that when the user has the rights i am forwarding it to the same URL, then the servlet is invoked again, the user is checked again, forwarded agian in an endless recursion (or till StackOverflowException). My questions are: 1) can I implement the restrictions in a similar way by invoking a servlet when a "protected" URL is requested. 2) are there clearer ways to do it. I read in Servlet2.3 Specifiaction for filters and authenticating filters, but I think that I will end with endless recursing also. Moreover, i couldn't find a suitable filter example. Up to know I workarounded the problem with this method: private void dump(String path, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext context = getServletContext(); String realPath = context.getRealPath(path); BufferedReader br = new BufferedReader(new FileReader(realPath)); PrintWriter out = response.getWriter(); String line = ""; while ((line = br.readLine()) != null) { out.println(line); } } instead this lines //The user has rights, so forward to the original request URL forward(forwardPath, request, response); I use //The user has rights, so forward to the original request URL dump(forwardPath, request, response); I also thought to transform the htmls in jsp's and check for rights at the top of each jsp, but the requirements say they must be htmls. Thank you for your efforts. I will appreciate any idea. Greetings Ivan Ivanov
__________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]