Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Servlets and the fly likes Deny Remote Access but Allow Include? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Deny Remote Access but Allow Include?" Watch "Deny Remote Access but Allow Include?" New topic
Author

Deny Remote Access but Allow Include?

Andreas Schildbach
Ranch Hand

Joined: Jan 22, 2003
Posts: 34
Hello everyone,
does the Servlet spec offer any means to deny remote access to all resources of a specific type (let's day *.include), but allow to include()/forward() them from another Servlet in the same context?
Regards,
Andreas
Nathaniel Stoddard
Ranch Hand

Joined: May 29, 2003
Posts: 1258
I don't recall the spec saying anything about this specifically. However, there are some solutions.
You could place the included files in a protected directory, denying all privileges through your web.xml settings (you could still include and forward I believe).


Nathaniel Stodard<br />SCJP, SCJD, SCWCD, SCBCD, SCDJWS, ICAD, ICSD, ICED
Andreas Schildbach
Ranch Hand

Joined: Jan 22, 2003
Posts: 34
Thanks for your reply.
Adding
<security-constraint>
<web-resource-collection>
<url-pattern>*.include</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
to web.xml works as expected.
Regards,
Andreas
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Deny Remote Access but Allow Include?
 
Similar Threads
allowing access to pages by IP address/server.xml
ODBC - mysql connectivity
ServletFilter to allow/deny directory access -> save against "hackers"?
deny access to my webapps folders
Problem with Remote Address Filter