Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

blocking access to static content folders

I want to know how to block access to the static content folders in my web-app. right the folders are in inside the web-root folder in the war. like so:

    myapp/

       -css/
       -js/
       -swf/
         :
       WEB-INF/

I want the content to be visible only from the application when user is in a session. The content should be blocked if someone hits the url outside his/her session (after it has expired).

Its a groovy-grails app with spring and we are using tomcat server.

like image 941
pri_dev Avatar asked Dec 27 '22 11:12

pri_dev


1 Answers

  1. Normally, files under /WEB-INF are not accessible directly from outside. It is good practise to keep such files under /WEB-INF.
  2. Securing using Web Security constraints. Here is the sample for restricting your folders:

     <security-constraint>
       <web-resource-collection>
         <web-resource-name >precluded methods</web-resource-name>
         <url-pattern >/css/*</url-pattern>
         <url-pattern >/js/*</url-pattern>
         <url-pattern >/swf/*</url-pattern>
         </web-resource-collection>
       <auth-constraint/>
     </security-constraint>
    
  3. Most of the app servers have the support of masking the files or directories to the outside world. Please check their documentations.

    Tomcat Documentation

like image 176
Ramesh PVK Avatar answered Feb 23 '23 04:02

Ramesh PVK