direct access to html

I have written some code to prevent direct access to html files.But, that is not working as expected. I am trying to restrict direct access to any files inside /contextroot/html diretory.

So, i mentioned this in web.xml :
<servlet-mapping>
<servlet-name>HtmlFilter</servlet-name>
<url-pattern>/html/*</url-pattern>
</servlet-mapping>

So, whenever user will try to directly access /html/*.html , HtmlFilter servlet will be called which will redirect control to html through response.sendRedirect().
So, servlet is getting called whenever /html/* request is there. But,flow is going like this :

servlet-->html-->servlet-->html-->servlet-------..

seems like cyclic behavior.
I am not getting how to prevent /html/* from direct access.
Any help.

Hi,

you can use permission & access tags "DENIED" in web.xml for avoiding direct access to jsp / html pages.

i tried successfully for jsp pages but not for html pages.
please go through settings permissions and access in web.xml file

regards
vijay

Can you post some sample code.
Just to make sure,you understood my doubt : When user is accessing the html directly by coming through login id/password , it should be accessible but if user is just copying and pasting the url in other tab of same brower/different browser, he should not be able to view the html.
I did some googling but not sure, your concept will work.

Any help!!

Originally posted by Raj Kumar Bindal:
Any help!!

Ummm, with the exclamation marks that sounds a bit like an order is being given. I'm not sure that's going to work with people who volunteer their time here.

If it's so urgent that you felt the need to post after just 20 minutes, you must have tried all kinds of things yourself since then. What were those, and how did they (not) work?

Just define a security constraint in web.xml.

If you have respected the netiquette, I would maybe have typed a small configuration example, but now you have to Google it. Good luck.

What you can do is, add following line in web.xml

<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>

I apologize. Ranchers have always been very helpful to me.
<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>

Specifying like this way protects the resources but even if i am trying to access html properly through application, i am not able to access it as it is protected.
But, main requirement is : after copy paste the address in address bar, html should not be accessible which is getting accessed now.
Please post some code if possible.

Originally posted by Raj Kumar Bindal:
But, main requirement is : after copy paste the address in address bar, html should not be accessible which is getting accessed now.

You must be doing things the wrong way. Hard to say without actually knowing what you've done so far.

Please post some code if possible.

You should not ask for code.

<security-constraint>

<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
</auth-constraint>

</security-constraint>

As per above code, if i trying to access /jsp/** through requestdispatcher in a servlet, it will be perfectly accessible as url will remain unchanged.
But, if i try to access /jsp/** by doing response.sendRedirect() from my servlet, it will not allow the access as we have restricted its access in web.xml.
As per my application, i am going to /jsp/** by doing redirect and need that if i am trying to access /jsp/** through some servlet(response.sendRedirect()) , then only it should be accessible else it should not be accessible.
Hope some picture may be cleared.

This is not possible.

If you've a hard head in this, you may want to create a Filter which checks the referrer (not recommended) or checks some token in the session (more recommended).