This week's book giveaway is in the Design forum.
We're giving away four copies of Design for the Mind and have Victor S. Yocco on-line!
See this thread for details.
Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Deny Remote Access but Allow Include?

 
Andreas Schildbach
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,
does the Servlet spec offer any means to deny remote access to all resources of a specific type (let's day *.include), but allow to include()/forward() them from another Servlet in the same context?
Regards,
Andreas
 
Nathaniel Stoddard
Ranch Hand
Posts: 1258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't recall the spec saying anything about this specifically. However, there are some solutions.
You could place the included files in a protected directory, denying all privileges through your web.xml settings (you could still include and forward I believe).
 
Andreas Schildbach
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your reply.
Adding
<security-constraint>
<web-resource-collection>
<url-pattern>*.include</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
to web.xml works as expected.
Regards,
Andreas
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic