Slightly off-topic -- Tomcat related
I have a servlet that is invoked by clicking a hyperlink that is rendered by a JSP running in Tomcat. The servlet receives a file path parameter in the HTTP request, and then streams that file to the requesting client. I have a <security-constraint/> defined in Tomcat for the JSP, requiring basic password authentication. However, if I define the <security-constraint/> so that it applies to the servlet also, then the following error occurs when the servlet attempts to stream the file to the client.
The browser presents the file info and prompts to save or open the file, but then when the actual streaming is attempted, the browser reports that the site is unreachable. This is apparently caused by the lack of any authentication during the file streaming operation, because when I define the <security-constraint/> so that it applies to the JSP but not the servlet, the problem does not occur. I don't really understand why it behaves this way, since the servlet was invoked with proper authorization, and the problem occurs only when the servlet starts streaming a file to the client. But it does seem to be an authorization problem, since it goes away when I don't constrain the servlet for authentication. I can operate this way, but then my JSP is protected and the servlet is not.
Is there a way to specify authentication parameters during the file streaming operation? Does anyone have an explanation for what I'm experiencing? Here's my servlet code:
public class FileSender extends HttpServlet{ protected void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException{ String filename = request.getParameter("file");
File file = new File(filename); MimetypesFileTypeMap mimeTypes = new MimetypesFileTypeMap
("C:\\Program Files\\Java\\jdk1.5.0_01\\lib\\mime.types");
String mime = mimeTypes.getContentType(file);
response.setContentType(mime);
response.setHeader("Content-Disposition", "attachment;"
+ "filename=" + file.getName()); FileInputStream in = new FileInputStream(file);
OutputStream out = response.getOutputStream();
byte[] buf = new byte[1024];
int i = 0;
while((i=in.read(buf))!=-1) {
out.write(buf, 0, i);
}
in.close();
out.close();
}
}And here's my web.xml. With this configuration, the file downolad fails as described above. To make it work, I remove the second <url-pattern/> element as indicated.
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>
<web-app>
<display-name>
File Port
</display-name> <description>
Makes files available through the web container
</description><servlet>
<servlet-name>FilePort</servlet-name>
<description>
Retrieves specified file and sends it to requester
</description>
<servlet-class>FileSnatcher.FileSender</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FilePort</servlet-name>
<url-pattern>/FilePort</url-pattern>
</servlet-mapping><!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>FileSnatcher</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>/FilePort</url-pattern> <!-- remove this to make it work -->
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application --> <login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role></web-app>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
