I have some experience with building web applications that are placed in the Tomcat container, but I have rarely given much importance to security.
I would like to know more about the following functionalities and how they work in Tomcat. Some links to good references will do fine as well.
a.) Restricting direct access to a particular file/folder present in the web application's directory at any hierarchial level. b.) Restricting direct access to file(s) with a particular extension (and it can be any extension, not the ones we usually encounter like .txt, .html etc.)
By direct access, I mean a person should not be able to get to the resource/file by typing it's url/path on the container.
In our CodeBarn, under the servlets section, there is a demo project named SimpleStream. This shows how to stream files (in this case, images) from under the WEB-INF directory using a servlet.
Because files under WEB-INF can not be accessed directly from the web, this gives you control what is served up and what is not.
If you still want someone with the right credentials to be able to access those files -if effect password-protecting them- then servlet security may be what you're looking for. The http://faq.javaranch.com/java/ServletsFaq#security page has some pointers to get you started with that.
0
