On Wednesday 25 February 2004 17:58, Eric Cho wrote: > Hi all, Hi,
> Here's the background to my question. > > A web application sitting on WebSphere 4.x (soon to be Websphere > 5.x). On the web application we have many links to various documents > (pdfs, docs, xls....etc) and static html files. > But there is a requirement to secure many, if not all, these static > documents/pages. > > How would we go about doing that? > > I realize, we could change the html files to jsp and add our security > code but the problem is these html files are generated by a third > party tool and the content is often changed. One important question: is it only the content that changes or the file names as well? > Upon every change, it > generates a whole new set of html files. Where upon we will have to > go back and change them to jsps and add the security code. This > would be very time consuming. And as you may easily forget a single page, it's error-prone, too. This is definitely not the way to go. > Even so, if we could do this, how would we secure the pdfs, docs and > etc? Ideally what we'd like to see happen is, if a user was to have a > URL and path to a file, they would be thrown to a login page if they > weren't first authenticated. > > So if any of you have ideas from both the application and/or server > side, it'd be much appreciated. There a two possible approaches that have already been mentioned. A third suggesting would be to move all files to a 'secure' location where they can't be accessed directly (anywhere underneath /WEB-INF or to a directory which is protected by other means, .htaccess, for example. Then, route all access through a Servlet which handles the necessary security issues in a central place and just delivers the files from the protected directory. When using Struts, you can leave this task to ActionServlet, but you have to wrap each page into a ForwardAction initially in struts-config.xml (adhering the 'Action first' rule). And in both cases, you have to make sure possible links in your pages don't contain static references, but call either your Servlet or the related Struts action instead. Whether you use Struts or not, the ability of handling security issues in a central place is one of the numerous benefits of an MVC design. If your current app was not architectured in this manner, it's usually easier to use a filter or container security mapped to paths, as mentioned before. HTH, -- Chris. > Thank you, > > Eric Cho > Web Solutions > Celero Solutions > [EMAIL PROTECTED] > www.celero.ca =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant archives, FAQs and Forums on JSPs can be found at: http://java.sun.com/products/jsp http://archives.java.sun.com/jsp-interest.html http://forums.java.sun.com http://www.jspinsider.com
