This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes Deny Remote Access but Allow Include? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Deny Remote Access but Allow Include?" Watch "Deny Remote Access but Allow Include?" New topic
Author

Deny Remote Access but Allow Include?

Andreas Schildbach
Ranch Hand

Joined: Jan 22, 2003
Posts: 34
Hello everyone,
does the Servlet spec offer any means to deny remote access to all resources of a specific type (let's day *.include), but allow to include()/forward() them from another Servlet in the same context?
Regards,
Andreas
Nathaniel Stoddard
Ranch Hand

Joined: May 29, 2003
Posts: 1258
I don't recall the spec saying anything about this specifically. However, there are some solutions.
You could place the included files in a protected directory, denying all privileges through your web.xml settings (you could still include and forward I believe).


Nathaniel Stodard<br />SCJP, SCJD, SCWCD, SCBCD, SCDJWS, ICAD, ICSD, ICED
Andreas Schildbach
Ranch Hand

Joined: Jan 22, 2003
Posts: 34
Thanks for your reply.
Adding
<security-constraint>
<web-resource-collection>
<url-pattern>*.include</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
to web.xml works as expected.
Regards,
Andreas
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Deny Remote Access but Allow Include?
 
Similar Threads
Problem with Remote Address Filter
deny access to my webapps folders
ServletFilter to allow/deny directory access -> save against "hackers"?
allowing access to pages by IP address/server.xml
ODBC - mysql connectivity