aspose file tools*
The moose likes Tomcat and the fly likes ServletFilter to allow/deny directory access -> save against Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "ServletFilter to allow/deny directory access -> save against "hackers"?" Watch "ServletFilter to allow/deny directory access -> save against "hackers"?" New topic
Author

ServletFilter to allow/deny directory access -> save against "hackers"?

Robert Jaeger
Ranch Hand

Joined: Apr 29, 2002
Posts: 62
Hi!

I am using a servlet filter in Tomcat to allow/deny the access to a given directory. Only if a user has a certain session parameter/value the servlet filter grants access for each requested file (html, gif, ...) in the given directory.

Does somebody have experience with Tomcat/ServletFilters? Can hackers get easily access to the directory? Do I have to consider any further security mechanisms?

Hope somebody can give me some short advice,
regard,
Robert
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12825
    
    5
Are these directories outside the path that Tomcat can serve HTML, etc resources from by the default servlet?
Bill
Robert Jaeger
Ranch Hand

Joined: Apr 29, 2002
Posts: 62
Hi,

the filter protects webapps/myProtectedRessources/*

If I leave the ressources outside the servlet server directories, e.g. in "C:/myProtectedRessources/" I need a servlet that loads the requested data and sends it via an ServletOutputStream to the client. Doing that I had problems with applets, paths-defintitions ... that�s why I wanted to ask if these filters are good enough to protect my ressources from "evil" access, even it is in the webapp-directory. Each time a user requests a file from this directory I am checking his session parameters.

Or is there a way to redirect the request to a local directory outside the servlet server directory? That would be great!!!

Maybe you have some advice,
thanx anyway,
Robert.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12825
    
    5
Personally, I just use paths outside the webapps area and serve the resources via a servlet that knows where to look based on init parameters. I thing you could get into trouble defining all the things a filter should look for in a URL. For example, you might have an image reachable by
"/myapp/images/the.gif" but a page in the location
"/myapp/stuff/"
could refer to it by "../images/the.gif" or "/myapp/images/the.gif"
and probably some other relative addressing tricks such as the base tag.

Bill
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61656
    
  67

You could also investigate placing them under the WEB-INF folder where they can never be accessed directly by URL, but where they can be forwarded to (or included) under your control.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: ServletFilter to allow/deny directory access -> save against "hackers"?