tomcat deny access to specific files

Question

I have a webapp in Tomcat with a main JSP file that includes another JSP file in the center of the page. I want to deny access to that file directly, and only allow direct access to the main index page.

Also, I don't want users to be able to get images from my webapp directly.

How can I deny those requests with Tomcat? I want all of the requests to forward to my main page.

Answer 1

From the page Prevent access to include files .

Add in web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Include files</web-resource-name>
        <description>No direct access to include files.</description>
        <url-pattern>/inc/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>No direct browser access to include files.</description>
        <role-name>NobodyHasThisRole</role-name>
    </auth-constraint>
</security-constraint>

Answer 2

One way would be to implement a Filter

For example:

package package;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class FilterImplementation implements Filter
{
    public void init(FilterConfig filterConfig) throws ServletException {...}

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
    {
        // if you detect an illegal request, throw an exception or return without calling chain.doFilter.
        chain.doFilter(request, response);     
    }

    public void destroy() {...}
}

add the following to web.xml:

<filter>
    <filter-name>MyFilter</filter-name>
    <filter-class>package.FilterImplementation</filter-class>
</filter>

<filter-mapping>
    <filter-name>MyFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

EDIT

Everything you need to know about which page is being requested is in the request parameter. The parameter type is ServletRequest however it will almost always be an HttpServletRequest so you can do the following:

if (request instanceof HttpServletRequest)
{
    HttpServletRequest hrequest = (HttpServletRequest) request;
    String uri = hrequest.getRequestURI(); // you should be able to just use this
    String uri = hrequest.getRequestURL(); // otherwise there are more in-depth fields
}

Answer 3

1. Regarding the included JSP files, you should place them under WEB-INF folder. This way, they are not accessible directly from the browser, yet it allows your main JSP file to include them.

2. The same thing with images, but images are a little bit tricky, yet doable. Place them under WEB-INF folder, and because of that, you can't access the images statically from the <img> tag. What you will need to do is to create a servlet that serves as a proxy to get the image and stream it out... so, your <img> looks something like this:-

==========

<img src="/webapp/imageServlet?img=world.jpg">

==========

Your ImageServlet will then read world.jpg file from WEB-INF folder and stream the image out.