• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

ServletFilter to allow/deny directory access -> save against "hackers"?

 
Robert Jaeger
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!

I am using a servlet filter in Tomcat to allow/deny the access to a given directory. Only if a user has a certain session parameter/value the servlet filter grants access for each requested file (html, gif, ...) in the given directory.

Does somebody have experience with Tomcat/ServletFilters? Can hackers get easily access to the directory? Do I have to consider any further security mechanisms?

Hope somebody can give me some short advice,
regard,
Robert
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13058
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are these directories outside the path that Tomcat can serve HTML, etc resources from by the default servlet?
Bill
 
Robert Jaeger
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

the filter protects webapps/myProtectedRessources/*

If I leave the ressources outside the servlet server directories, e.g. in "C:/myProtectedRessources/" I need a servlet that loads the requested data and sends it via an ServletOutputStream to the client. Doing that I had problems with applets, paths-defintitions ... that�s why I wanted to ask if these filters are good enough to protect my ressources from "evil" access, even it is in the webapp-directory. Each time a user requests a file from this directory I am checking his session parameters.

Or is there a way to redirect the request to a local directory outside the servlet server directory? That would be great!!!

Maybe you have some advice,
thanx anyway,
Robert.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13058
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Personally, I just use paths outside the webapps area and serve the resources via a servlet that knows where to look based on init parameters. I thing you could get into trouble defining all the things a filter should look for in a URL. For example, you might have an image reachable by
"/myapp/images/the.gif" but a page in the location
"/myapp/stuff/"
could refer to it by "../images/the.gif" or "/myapp/images/the.gif"
and probably some other relative addressing tricks such as the base tag.

Bill
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64717
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You could also investigate placing them under the WEB-INF folder where they can never be accessed directly by URL, but where they can be forwarded to (or included) under your control.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic