restrict users from entering the image/text files path directly in the browser.

[vishnujava]

How do i restrict users from entering the image/text files path directly in the browser.
my web application has restrictions to jsp/servlet pages, wherein we ask for username and password which will chk and db and then authenticate.
but when an image or text file in a particular directory is accessed thru the web i have to restrict. how do i do that.

to be more clear

if i access
http:somename.com/index.jspit will ask for login information and only then other jsp pages can be accessed.

but
http/somename.com/images/logo.jpgif i type directly this image will appear, but i need to restrict, how to do that in Tomcat.

thanks in advance.

[skaspersen]

You would do that in the security section of your web.xml file.

[Norm]

skaspersen,
I'm not familiar with the security section of the web.xml page. I should read up on it. Where is the doc on how to use it?
Are you saying that you can restrict which files are returned by an HTTP GET from a browser? How does the server know whether a site has permission to get a file? There must be a state maintained that allows the server to know that some files can only be loaded to a specific site after the jsp code has said OK.

[vishnujava]

Hi skaspersen,

actually I don't have much knowledge on that in web.xml
could you please give me detials...or give me some link where I can find the details.

thanks in advance,

[vishnujava]

Please anybody let me know that whether it is possible or not?

[mtv134]

yes it is possible to do that using the <url-pattern> in the web.xml
you add a url mapping section to the web.xml with the extension of the images that are stored in the server and redirects the url to an error page when this url is accessed by the browser

The following table describes the elements you can define within a servlet-mapping element.

Element


Required/
Optional


Description

<servlet-name>


Required


The name of the servlet to which you are mapping a URL pattern. This name corresponds to the name you assigned a servlet in a <servlet> declaration tag.

<url-pattern>


Required




Example patterns:

/soda/grape/*
/foo/*
/contents
*.foo

The URL must follow the rules specified in Section 10 of the Servlet 2.2 Specification.

For additional examples of servlet mapping, see Servlet Mapping.

[skaspersen]

You need to create realm based authentication, and in your case use jdbcrealm. It is included in glassfish V2, implementations are available for other Application Servers just use google.

I have successfully implemented this in glassfish.

Your web.xml would have entries similar to this.

Java Code:

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>developinjava</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginerror.jsp</form-error-page>
        </form-login-config>
    </login-config> 
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure Pages</web-resource-name>
            <url-pattern>*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>USERS</role-name>
        </auth-constraint>
    </security-constraint>

If a user tries to access pages that match the url-pattern property of web-resource-collection and they have not logged in they will automatically be redirected to the login form

Note: If this is not an intranet application you should probably serve the form over https and not http

Tomcat links:
Working with JDBCRealm
Tomcat Security Overview and Analysis

Glassfish links:
JDBCRealm in GlassFish with MySQL : Shing Wai Chan's Weblog
Develop in Java