This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Struts and the fly likes Restrict access of files under web app Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Restrict access of files under web app" Watch "Restrict access of files under web app" New topic
Author

Restrict access of files under web app

prajula Kottai
Greenhorn

Joined: Aug 16, 2012
Posts: 4
Hi All
I have 2 or more web applications in my application. I am using struts framework.
The problem is, unauthorized people can access the files that are under my web app folder (Ex: webapp name is XYZ).
I can use filters to restrict it but i just wanted to know whether there any configuration that can be done in struts config.xml in order to restrict it?
And also can I use a file of one webapp in another to define under filter class in web.xml?

Thanks in advance...
Prajula
billy boyfour
Greenhorn

Joined: Aug 20, 2012
Posts: 1

Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page. Frequently, such protection is provided by one or more components external to the application code. Regardless of the mechanism(s), all of the following are recommended:

* The authentication and authorization policies be role based, to minimize the effort required to maintain these policies.
* The policies should be highly configurable, in order to minimize any hard coded aspects of the policy.
* The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific users and roles for access to every page.
* If the page is involved in a workflow, check to make sure the conditions are in the proper state to allow access.

Some helpful links

http://www.montana.edu/itcenter/security/web/best-practices.php
http://strutscr.uw.hu/0090.html

~billyboy


Kathleen Angeles
Ranch Hand

Joined: Aug 06, 2012
Posts: 122

prajula Kc wrote:
I can use filters to restrict it but i just wanted to know whether there any configuration that can be done in struts config.xml in order to restrict it?


They cannot access anything inside the web-inf folder.

prajula Kc wrote:
And also can I use a file of one webapp in another to define under filter class in web.xml?


Why not put it in a jar and let those 2 apps get a copy of it?
prajula Kottai
Greenhorn

Joined: Aug 16, 2012
Posts: 4

I cannot change the complete structure of the application. I have written a new class in the other app and used it as a solution for the usage of the file since the functionality is totally different.
The problem now is when one web application is accessed from the other, the session object seems to be null. Is there a way to share the same session object across the web applications? Any other solution can also be suggested.

Below is the usage

code snippet:
<a href="host/xxx/abc.zip">Files</a>
where this link is accessed from a jsp page of one webapp and the file is located in the specified path where "xxx" is another webapp.
how can i restrict its access?
Kathleen Angeles
Ranch Hand

Joined: Aug 06, 2012
Posts: 122

That is spaghetti programming, I think.

Coupling.

prajula Kottai
Greenhorn

Joined: Aug 16, 2012
Posts: 4
Kathleen Angeles wrote:That is spaghetti programming, I think.

Coupling.




is there a way to stop its access?
Kathleen Angeles
Ranch Hand

Joined: Aug 06, 2012
Posts: 122

One ugly way is to play with the firewall, ip address / port filter, to control access to files in your pc or server. E.g. allow access if client if from a specific ip address/port. Not really sure how (server filter, os filter, unix file access control), but just an idea.
prajula Kottai
Greenhorn

Joined: Aug 16, 2012
Posts: 4
Kathleen Angeles wrote:One ugly way is to play with the firewall, ip address / port filter, to control access to files in your pc or server. E.g. allow access if client if from a specific ip address/port. Not really sure how (server filter, os filter, unix file access control), but just an idea.


My application not local to my server ...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Restrict access of files under web app
 
Similar Threads
Web application deployment
Using Eclipse for Web App
Struts/Tomcat:Cannot find ActionMappings
Accessing contents under WEB-INF directory
orion application server