We have a java web app running in Tomcat container. Basically it lets user register and upload files in the server for later access. After the user logged in and submit a file, we save this file as static content so that we can use Apache to serve it. But we do not want one user access files submitted by another user. This can be easily down in Tomcat as user need to login. But if we serve the files as static content using Apache, anybody will be able to access these files.
Obviously we need an authorization component for Apache. But should we reproduce the whole business logic implemented in Tomcat?
Is there a trick to do this so that we can still serve the files using Apache but somehow check the user authorization?
What is the reasoning behind serving the static content via Apache? While there are lies, damn lies, and benchmarks everything I've seen indicates that Tomcat serves static content very efficiently. This has also been my experience empirically.
I guess I'd simplify the problem and put it all on the Tomcat side. It sounds like you've got a solution in Tomcat - tying Tomcat and Apache security together could be a bit of a headache. [ October 28, 2005: Message edited by: Scott Dunbar ]
<a href="http://forums.hotjoe.com/forums/list.page" target="_blank" rel="nofollow">Java forums using Java software</a> - Come and help get them started.
Maybe you always need to benchmark for your OWN web app.
But problem remains, is there a way to easily manage the access for Apache static contents by using the same logic in Tomcat?
Joined: Sep 23, 2004
To get directly to your question, I'm not aware of a way to have a single user space between Apache httpd and Tomcat. Apache has many different authentication methods available to it out of the box from flat files to databases and LDAP. Tomcat, out of the box, has one - a server wide flat file.
To do this you could implement a Tomcat realm to read a database of users. It honestly wouldn't be that difficult to do but it would have to be written. It may exist already and I'm just not aware of it.
Lastly, if you have the time benchmarking your app with Tomcat only would be the best way to determine if it would work for you. I've found the newer Tomcat's to be very good.
Joined: Apr 01, 2005
Great. Thanks Scott.
Looks like there is no way to access session variable set by Tomcat in Apache? My users are stored in DB - if we have to let Apache access the DB and validate the user then it defeats the whole point of "higher performance" as I am sure DB access is more expensive in this case. I'll prob. benchmark my app...