• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

direct access to html

 
Ranch Hand
Posts: 418
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have written some code to prevent direct access to html files.But, that is not working as expected. I am trying to restrict direct access to any files inside /contextroot/html diretory.

So, i mentioned this in web.xml :
<servlet-mapping>
<servlet-name>HtmlFilter</servlet-name>
<url-pattern>/html/*</url-pattern>
</servlet-mapping>

So, whenever user will try to directly access /html/*.html , HtmlFilter servlet will be called which will redirect control to html through response.sendRedirect().
So, servlet is getting called whenever /html/* request is there. But,flow is going like this :

servlet-->html-->servlet-->html-->servlet-------..

seems like cyclic behavior.
I am not getting how to prevent /html/* from direct access.
Any help.
 
Ranch Hand
Posts: 47
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

you can use permission & access tags "DENIED" in web.xml for avoiding direct access to jsp / html pages.

i tried successfully for jsp pages but not for html pages.
please go through settings permissions and access in web.xml file

regards
vijay
 
Raj Kumar Bindal
Ranch Hand
Posts: 418
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you post some sample code.
Just to make sure,you understood my doubt : When user is accessing the html directly by coming through login id/password , it should be accessible but if user is just copying and pasting the url in other tab of same brower/different browser, he should not be able to view the html.
I did some googling but not sure, your concept will work.
 
Raj Kumar Bindal
Ranch Hand
Posts: 418
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Any help!!
 
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Raj Kumar Bindal:
Any help!!


Ummm, with the exclamation marks that sounds a bit like an order is being given. I'm not sure that's going to work with people who volunteer their time here.

If it's so urgent that you felt the need to post after just 20 minutes, you must have tried all kinds of things yourself since then. What were those, and how did they (not) work?
 
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just define a security constraint in web.xml.

If you have respected the netiquette, I would maybe have typed a small configuration example, but now you have to Google it. Good luck.
 
Ranch Hand
Posts: 44
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What you can do is, add following line in web.xml

<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>
 
Raj Kumar Bindal
Ranch Hand
Posts: 418
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I apologize. Ranchers have always been very helpful to me.
<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>


Specifying like this way protects the resources but even if i am trying to access html properly through application, i am not able to access it as it is protected.
But, main requirement is : after copy paste the address in address bar, html should not be accessible which is getting accessed now.
Please post some code if possible.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Raj Kumar Bindal:
But, main requirement is : after copy paste the address in address bar, html should not be accessible which is getting accessed now.


You must be doing things the wrong way. Hard to say without actually knowing what you've done so far.

Please post some code if possible.


You should not ask for code.
 
Raj Kumar Bindal
Ranch Hand
Posts: 418
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>


As per above code, if i trying to access /jsp/** through requestdispatcher in a servlet, it will be perfectly accessible as url will remain unchanged.
But, if i try to access /jsp/** by doing response.sendRedirect() from my servlet, it will not allow the access as we have restricted its access in web.xml.
As per my application, i am going to /jsp/** by doing redirect and need that if i am trying to access /jsp/** through some servlet(response.sendRedirect()) , then only it should be accessible else it should not be accessible.
Hope some picture may be cleared.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is not possible.

If you've a hard head in this, you may want to create a Filter which checks the referrer (not recommended) or checks some token in the session (more recommended).
 
Just let me do the talking. Ahem ... so ... you see ... we have this tiny ad...
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic