This week's book giveaway is in the Agile and other Processes forum.
We're giving away four copies of The Mikado Method and have Ola Ellnestam and Daniel Brolund on-line!
See this thread for details.
The moose likes Tomcat and the fly likes ServletFilter to allow/deny directory access -> save against Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Products » Tomcat
Reply Bookmark "ServletFilter to allow/deny directory access -> save against "hackers"?" Watch "ServletFilter to allow/deny directory access -> save against "hackers"?" New topic
Author

ServletFilter to allow/deny directory access -> save against "hackers"?

Robert Jaeger
Ranch Hand

Joined: Apr 29, 2002
Posts: 62
posted
0
Quote
Hi!

I am using a servlet filter in Tomcat to allow/deny the access to a given directory. Only if a user has a certain session parameter/value the servlet filter grants access for each requested file (html, gif, ...) in the given directory.

Does somebody have experience with Tomcat/ServletFilters? Can hackers get easily access to the directory? Do I have to consider any further security mechanisms?

Hope somebody can give me some short advice,
regard,
Robert
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12268
    
    1
posted private message
0
Quote
Are these directories outside the path that Tomcat can serve HTML, etc resources from by the default servlet?
Bill
Robert Jaeger
Ranch Hand

Joined: Apr 29, 2002
Posts: 62
posted
0
Quote
Hi,

the filter protects webapps/myProtectedRessources/*

If I leave the ressources outside the servlet server directories, e.g. in "C:/myProtectedRessources/" I need a servlet that loads the requested data and sends it via an ServletOutputStream to the client. Doing that I had problems with applets, paths-defintitions ... that�s why I wanted to ask if these filters are good enough to protect my ressources from "evil" access, even it is in the webapp-directory. Each time a user requests a file from this directory I am checking his session parameters.

Or is there a way to redirect the request to a local directory outside the servlet server directory? That would be great!!!

Maybe you have some advice,
thanx anyway,
Robert.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12268
    
    1
posted private message
0
Quote
Personally, I just use paths outside the webapps area and serve the resources via a servlet that knows where to look based on init parameters. I thing you could get into trouble defining all the things a filter should look for in a URL. For example, you might have an image reachable by
"/myapp/images/the.gif" but a page in the location
"/myapp/stuff/"
could refer to it by "../images/the.gif" or "/myapp/images/the.gif"
and probably some other relative addressing tricks such as the base tag.

Bill
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 56185
    
  13

I like...
IntelliJ IDE jQuery Mac OSX
posted private message
0
Quote
You could also investigate placing them under the WEB-INF folder where they can never be accessed directly by URL, but where they can be forwarded to (or included) under your control.

[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: ServletFilter to allow/deny directory access -> save against "hackers"?
 
Similar Threads
Configuring Apache Web Server with Tomcat
getting set up apache/tomcat
Virtual Host with Apache 2 and Tomcat 4.1
Virtual host error
deny access to my webapps folders