aspose file tools*
The moose likes Tomcat and the fly likes Access control problem: Tomcat + Apache Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Access control problem: Tomcat + Apache" Watch "Access control problem: Tomcat + Apache" New topic
Author

Access control problem: Tomcat + Apache

Joe Serel
Greenhorn

Joined: Apr 01, 2005
Posts: 6
Greetings,

We have a java web app running in Tomcat container. Basically it lets user register and upload files in the server for later access. After the user logged in and submit a file, we save this file as static content so that we can use Apache to serve it. But we do not want one user access files submitted by another user. This can be easily down in Tomcat as user need to login. But if we serve the files as static content using Apache, anybody will be able to access these files.

Obviously we need an authorization component for Apache. But should we reproduce the whole business logic implemented in Tomcat?

Is there a trick to do this so that we can still serve the files using Apache but somehow check the user authorization?

Your help will be greatly appreciated.

Thanks.

Joe
Scott Dunbar
Ranch Hand

Joined: Sep 23, 2004
Posts: 245
What is the reasoning behind serving the static content via Apache? While there are lies, damn lies, and benchmarks everything I've seen indicates that Tomcat serves static content very efficiently. This has also been my experience empirically.

I guess I'd simplify the problem and put it all on the Tomcat side. It sounds like you've got a solution in Tomcat - tying Tomcat and Apache security together could be a bit of a headache.
[ October 28, 2005: Message edited by: Scott Dunbar ]

<a href="http://forums.hotjoe.com/forums/list.page" target="_blank" rel="nofollow">Java forums using Java software</a> - Come and help get them started.
Joe Serel
Greenhorn

Joined: Apr 01, 2005
Posts: 6
Thanks Scott for your reply.
Here (and numerous other places) are where I got this idea
http://tomcat.apache.org/tomcat-3.3-doc/tomcat-apache-howto.html

Maybe you always need to benchmark for your OWN web app.

But problem remains, is there a way to easily manage the access for Apache static contents by using the same logic in Tomcat?

Thanks

Joe
Scott Dunbar
Ranch Hand

Joined: Sep 23, 2004
Posts: 245
To get directly to your question, I'm not aware of a way to have a single user space between Apache httpd and Tomcat. Apache has many different authentication methods available to it out of the box from flat files to databases and LDAP. Tomcat, out of the box, has one - a server wide flat file.

To do this you could implement a Tomcat realm to read a database of users. It honestly wouldn't be that difficult to do but it would have to be written. It may exist already and I'm just not aware of it.

Lastly, if you have the time benchmarking your app with Tomcat only would be the best way to determine if it would work for you. I've found the newer Tomcat's to be very good.
Joe Serel
Greenhorn

Joined: Apr 01, 2005
Posts: 6
Great. Thanks Scott.

Looks like there is no way to access session variable set by Tomcat in Apache? My users are stored in DB - if we have to let Apache access the DB and validate the user then it defeats the whole point of "higher performance" as I am sure DB access is more expensive in this case.
I'll prob. benchmark my app...

Thanks,

Joe
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Access control problem: Tomcat + Apache