I am using a servlet filter in Tomcat to allow/deny the access to a given directory. Only if a user has a certain session parameter/value the servlet filter grants access for each requested file (html, gif, ...) in the given directory.
Does somebody have experience with Tomcat/ServletFilters? Can hackers get easily access to the directory? Do I have to consider any further security mechanisms?
Hope somebody can give me some short advice, regard, Robert
Are these directories outside the path that Tomcat can serve HTML, etc resources from by the default servlet? Bill
Joined: Apr 29, 2002
the filter protects webapps/myProtectedRessources/*
If I leave the ressources outside the servlet server directories, e.g. in "C:/myProtectedRessources/" I need a servlet that loads the requested data and sends it via an ServletOutputStream to the client. Doing that I had problems with applets, paths-defintitions ... that�s why I wanted to ask if these filters are good enough to protect my ressources from "evil" access, even it is in the webapp-directory. Each time a user requests a file from this directory I am checking his session parameters.
Or is there a way to redirect the request to a local directory outside the servlet server directory? That would be great!!!
Maybe you have some advice, thanx anyway, Robert.
Author and all-around good cowpoke
Joined: Mar 22, 2000
Personally, I just use paths outside the webapps area and serve the resources via a servlet that knows where to look based on init parameters. I thing you could get into trouble defining all the things a filter should look for in a URL. For example, you might have an image reachable by "/myapp/images/the.gif" but a page in the location "/myapp/stuff/" could refer to it by "../images/the.gif" or "/myapp/images/the.gif" and probably some other relative addressing tricks such as the base tag.