I have a webapp in Tomcat with a main JSP file that includes another JSP file in the center of the page. I want to deny access to that file directly, and only allow direct access to the main index page.
Also, I don't want users to be able to get images from my webapp directly.
How can I deny those requests with Tomcat? I want all of the requests to forward to my main page.
From the page Prevent access to include files .
Add in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Include files</web-resource-name>
<description>No direct access to include files.</description>
<url-pattern>/inc/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>No direct browser access to include files.</description>
<role-name>NobodyHasThisRole</role-name>
</auth-constraint>
</security-constraint>
One way would be to implement a Filter
For example:
package package;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class FilterImplementation implements Filter
{
public void init(FilterConfig filterConfig) throws ServletException {...}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
// if you detect an illegal request, throw an exception or return without calling chain.doFilter.
chain.doFilter(request, response);
}
public void destroy() {...}
}
add the following to web.xml:
<filter>
<filter-name>MyFilter</filter-name>
<filter-class>package.FilterImplementation</filter-class>
</filter>
<filter-mapping>
<filter-name>MyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
EDIT
Everything you need to know about which page is being requested is in the request
parameter. The parameter type is ServletRequest
however it will almost always be an HttpServletRequest
so you can do the following:
if (request instanceof HttpServletRequest)
{
HttpServletRequest hrequest = (HttpServletRequest) request;
String uri = hrequest.getRequestURI(); // you should be able to just use this
String uri = hrequest.getRequestURL(); // otherwise there are more in-depth fields
}
Regarding the included JSP files, you should place them under WEB-INF
folder. This way, they are not accessible directly from the browser, yet it allows your main JSP file to include them.
The same thing with images, but images are a little bit tricky, yet doable. Place them under WEB-INF
folder, and because of that, you can't access the images statically from the <img>
tag. What you will need to do is to create a servlet that serves as a proxy to get the image and stream it out... so, your <img>
looks something like this:-
==========
<img src="/webapp/imageServlet?img=world.jpg">
==========
Your ImageServlet
will then read world.jpg
file from WEB-INF
folder and stream the image out.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With