File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes direct access to html Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "direct access to html" Watch "direct access to html" New topic
Author

direct access to html

Raj Kumar Bindal
Ranch Hand

Joined: Apr 15, 2006
Posts: 417
I have written some code to prevent direct access to html files.But, that is not working as expected. I am trying to restrict direct access to any files inside /contextroot/html diretory.

So, i mentioned this in web.xml :
<servlet-mapping>
<servlet-name>HtmlFilter</servlet-name>
<url-pattern>/html/*</url-pattern>
</servlet-mapping>

So, whenever user will try to directly access /html/*.html , HtmlFilter servlet will be called which will redirect control to html through response.sendRedirect().
So, servlet is getting called whenever /html/* request is there. But,flow is going like this :

servlet-->html-->servlet-->html-->servlet-------..

seems like cyclic behavior.
I am not getting how to prevent /html/* from direct access.
Any help.
vijay dadhwal
Ranch Hand

Joined: Dec 02, 2008
Posts: 47

Hi,

you can use permission & access tags "DENIED" in web.xml for avoiding direct access to jsp / html pages.

i tried successfully for jsp pages but not for html pages.
please go through settings permissions and access in web.xml file

regards
vijay


MCA , SJCP
Raj Kumar Bindal
Ranch Hand

Joined: Apr 15, 2006
Posts: 417
Can you post some sample code.
Just to make sure,you understood my doubt : When user is accessing the html directly by coming through login id/password , it should be accessible but if user is just copying and pasting the url in other tab of same brower/different browser, he should not be able to view the html.
I did some googling but not sure, your concept will work.
Raj Kumar Bindal
Ranch Hand

Joined: Apr 15, 2006
Posts: 417
Any help!!
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
Originally posted by Raj Kumar Bindal:
Any help!!

Ummm, with the exclamation marks that sounds a bit like an order is being given. I'm not sure that's going to work with people who volunteer their time here.

If it's so urgent that you felt the need to post after just 20 minutes, you must have tried all kinds of things yourself since then. What were those, and how did they (not) work?


Ping & DNS - updated with new look and Ping home screen widget
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Just define a security constraint in web.xml.

If you have respected the netiquette, I would maybe have typed a small configuration example, but now you have to Google it. Good luck.
Ashok Mor
Ranch Hand

Joined: Jul 17, 2007
Posts: 43
What you can do is, add following line in web.xml

<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>
Raj Kumar Bindal
Ranch Hand

Joined: Apr 15, 2006
Posts: 417
I apologize. Ranchers have always been very helpful to me.
<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>


Specifying like this way protects the resources but even if i am trying to access html properly through application, i am not able to access it as it is protected.
But, main requirement is : after copy paste the address in address bar, html should not be accessible which is getting accessed now.
Please post some code if possible.
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Originally posted by Raj Kumar Bindal:
But, main requirement is : after copy paste the address in address bar, html should not be accessible which is getting accessed now.

You must be doing things the wrong way. Hard to say without actually knowing what you've done so far.
Please post some code if possible.

You should not ask for code.
Raj Kumar Bindal
Ranch Hand

Joined: Apr 15, 2006
Posts: 417
<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>


As per above code, if i trying to access /jsp/** through requestdispatcher in a servlet, it will be perfectly accessible as url will remain unchanged.
But, if i try to access /jsp/** by doing response.sendRedirect() from my servlet, it will not allow the access as we have restricted its access in web.xml.
As per my application, i am going to /jsp/** by doing redirect and need that if i am trying to access /jsp/** through some servlet(response.sendRedirect()) , then only it should be accessible else it should not be accessible.
Hope some picture may be cleared.
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
This is not possible.

If you've a hard head in this, you may want to create a Filter which checks the referrer (not recommended) or checks some token in the session (more recommended).
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: direct access to html
 
Similar Threads
url-pattern with slash
showing one jsp instead of other
help me with struts
Servlet Mappings and RequestDispatcher inludes
Servlet mapping problem ...