• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

ServletFilter to allow/deny directory access -> save against "hackers"?

 
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!

I am using a servlet filter in Tomcat to allow/deny the access to a given directory. Only if a user has a certain session parameter/value the servlet filter grants access for each requested file (html, gif, ...) in the given directory.

Does somebody have experience with Tomcat/ServletFilters? Can hackers get easily access to the directory? Do I have to consider any further security mechanisms?

Hope somebody can give me some short advice,
regard,
Robert
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are these directories outside the path that Tomcat can serve HTML, etc resources from by the default servlet?
Bill
 
Robert Jaeger
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

the filter protects webapps/myProtectedRessources/*

If I leave the ressources outside the servlet server directories, e.g. in "C:/myProtectedRessources/" I need a servlet that loads the requested data and sends it via an ServletOutputStream to the client. Doing that I had problems with applets, paths-defintitions ... that�s why I wanted to ask if these filters are good enough to protect my ressources from "evil" access, even it is in the webapp-directory. Each time a user requests a file from this directory I am checking his session parameters.

Or is there a way to redirect the request to a local directory outside the servlet server directory? That would be great!!!

Maybe you have some advice,
thanx anyway,
Robert.
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Personally, I just use paths outside the webapps area and serve the resources via a servlet that knows where to look based on init parameters. I thing you could get into trouble defining all the things a filter should look for in a URL. For example, you might have an image reachable by
"/myapp/images/the.gif" but a page in the location
"/myapp/stuff/"
could refer to it by "../images/the.gif" or "/myapp/images/the.gif"
and probably some other relative addressing tricks such as the base tag.

Bill
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could also investigate placing them under the WEB-INF folder where they can never be accessed directly by URL, but where they can be forwarded to (or included) under your control.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic