Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Restrict access of files under web app

 
prajula Kottai
Greenhorn
Posts: 4
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All
I have 2 or more web applications in my application. I am using struts framework.
The problem is, unauthorized people can access the files that are under my web app folder (Ex: webapp name is XYZ).
I can use filters to restrict it but i just wanted to know whether there any configuration that can be done in struts config.xml in order to restrict it?
And also can I use a file of one webapp in another to define under filter class in web.xml?

Thanks in advance...
Prajula
 
billy boyfour
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page. Frequently, such protection is provided by one or more components external to the application code. Regardless of the mechanism(s), all of the following are recommended:

* The authentication and authorization policies be role based, to minimize the effort required to maintain these policies.
* The policies should be highly configurable, in order to minimize any hard coded aspects of the policy.
* The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific users and roles for access to every page.
* If the page is involved in a workflow, check to make sure the conditions are in the proper state to allow access.

Some helpful links

http://www.montana.edu/itcenter/security/web/best-practices.php
http://strutscr.uw.hu/0090.html

~billyboy


 
Kathleen Angeles
Ranch Hand
Posts: 123
Firefox Browser Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
prajula Kc wrote:
I can use filters to restrict it but i just wanted to know whether there any configuration that can be done in struts config.xml in order to restrict it?


They cannot access anything inside the web-inf folder.

prajula Kc wrote:
And also can I use a file of one webapp in another to define under filter class in web.xml?


Why not put it in a jar and let those 2 apps get a copy of it?
 
prajula Kottai
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I cannot change the complete structure of the application. I have written a new class in the other app and used it as a solution for the usage of the file since the functionality is totally different.
The problem now is when one web application is accessed from the other, the session object seems to be null. Is there a way to share the same session object across the web applications? Any other solution can also be suggested.

Below is the usage

code snippet:
<a href="host/xxx/abc.zip">Files</a>
where this link is accessed from a jsp page of one webapp and the file is located in the specified path where "xxx" is another webapp.
how can i restrict its access?
 
Kathleen Angeles
Ranch Hand
Posts: 123
Firefox Browser Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That is spaghetti programming, I think.

Coupling.

 
prajula Kottai
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kathleen Angeles wrote:That is spaghetti programming, I think.

Coupling.




is there a way to stop its access?
 
Kathleen Angeles
Ranch Hand
Posts: 123
Firefox Browser Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One ugly way is to play with the firewall, ip address / port filter, to control access to files in your pc or server. E.g. allow access if client if from a specific ip address/port. Not really sure how (server filter, os filter, unix file access control), but just an idea.
 
prajula Kottai
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kathleen Angeles wrote:One ugly way is to play with the firewall, ip address / port filter, to control access to files in your pc or server. E.g. allow access if client if from a specific ip address/port. Not really sure how (server filter, os filter, unix file access control), but just an idea.


My application not local to my server ...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic