aspose file tools*
The moose likes Servlets and the fly likes Deny Remote Access but Allow Include? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Deny Remote Access but Allow Include?" Watch "Deny Remote Access but Allow Include?" New topic
Author

Deny Remote Access but Allow Include?

Andreas Schildbach
Ranch Hand

Joined: Jan 22, 2003
Posts: 34
Hello everyone,
does the Servlet spec offer any means to deny remote access to all resources of a specific type (let's day *.include), but allow to include()/forward() them from another Servlet in the same context?
Regards,
Andreas
Nathaniel Stoddard
Ranch Hand

Joined: May 29, 2003
Posts: 1258
I don't recall the spec saying anything about this specifically. However, there are some solutions.
You could place the included files in a protected directory, denying all privileges through your web.xml settings (you could still include and forward I believe).


Nathaniel Stodard<br />SCJP, SCJD, SCWCD, SCBCD, SCDJWS, ICAD, ICSD, ICED
Andreas Schildbach
Ranch Hand

Joined: Jan 22, 2003
Posts: 34
Thanks for your reply.
Adding
<security-constraint>
<web-resource-collection>
<url-pattern>*.include</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
to web.xml works as expected.
Regards,
Andreas
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Deny Remote Access but Allow Include?