• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Deny Remote Access but Allow Include?

 
Andreas Schildbach
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,
does the Servlet spec offer any means to deny remote access to all resources of a specific type (let's day *.include), but allow to include()/forward() them from another Servlet in the same context?
Regards,
Andreas
 
Nathaniel Stoddard
Ranch Hand
Posts: 1258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't recall the spec saying anything about this specifically. However, there are some solutions.
You could place the included files in a protected directory, denying all privileges through your web.xml settings (you could still include and forward I believe).
 
Andreas Schildbach
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your reply.
Adding
<security-constraint>
<web-resource-collection>
<url-pattern>*.include</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
to web.xml works as expected.
Regards,
Andreas
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic