WEBDAV authentication at SERVER LEVEL rather than at APPLICATION LEVEL
Joined: Aug 08, 2012
I want to provide authentication to the files which are outside tomcat directory.
My files are at /app/apache-tomcat-5.5.17/webapps/Reports/file1.zip
Note that here Reports is not a tomcat application. It is just a directory.
I want to provide authentication for that file so i can access file with link http://localhost:8006/Reports/file1.zip after providing authentication only.
WEBDAV authentication is possible when I make changes in web.xml inside some tomcat application.
But for that this Reports folder should be inside it.
e.g. I've another application named 'RentalApp' on same server.
than if I make changes at /app/apache-tomcat-5.5.17/webapps/RentalApp/WEB-INF/web.xml
and put file at /app/apache-tomcat-5.5.17/webapps/RentalApp/Reports/file1.zip than it is asking for authentication when accessing through http://localhost:8006/RentalApp/Reports/file1.zip
Note that changing web.xml at server level (/app/apache-tomcat-5.5.17/conf/web.xml).
Can we provide WEBDAV authentication at server level to any file which is not inside tomcat application.
Any directory that is located immediately under the TOMCAT_HOME/webapps directory is, by definition, a web application in exploded WAR format. There is no concept of a data directory under webapps, only the question of whether the WAR is valid or not.
In any event, you should NEVER write or delete files in or below the webapps directory under webapp program control. Since Tomcat is not a WEBDAV server, that aspect does not apply either. The only writing that should ever be done in webapps is to deploy or undeploy (delete) the webapps themselves. Other than that, all files and directories should be treated as read-only. The fact that Tomcat does not enforce this restriction does not mean that it is safe to violate it - do so and you will regret it.
While Tomcat itself does not provide WEBDAV services, a Tomcat webapp can do so if it wants to. Regardless, the actual files and directories being controlled should be placed in a location external to the Tomcat directories and the webapps directory in particular.
Authentication and authorization are separate concerns, and the J2EE A&A standards are usually sufficient for that purpose.
Customer surveys are for companies who didn't pay proper attention to begin with.