I had a similar problem. I kept the files out of the webapps folder. I wrote a servlet that checks the username before serving up the file. If the user has access to the file then it sends it otherwise it blocks access.
Hamish -----Original Message----- From: Surya Suravarapu [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 1:18 PM To: Tomcat Users List Subject: Re: Apache/Tomcat security issue -- URGENT I didn't get any responses, so I'm reposting with some summary. I'm pretty sure some body might have a solution for this. Summary: Is it possible to protect a resource in a particular folder which is under web application context? By protection I mean, only my application has to use that resource and if any body else accesses it manually he must either get "access denied" or a "dialog box" with username and password. Please see below for more details. Thanks. -Surya ----- Original Message ----- From: "Surya Suravarapu" <[EMAIL PROTECTED]> Date: Wednesday, March 20, 2002 8:57 pm Subject: Apache/Tomcat security issue -- URGENT > I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. > > I've a context called WebApp whose docBase="E:\WebApp". So, when I > point my browser to http://localhost/WebApp/main it will take me > to the > login screen of the application. > > There is a folder called "Reports" in my E:\WebApp. Some part of > my > application is using Response.sendRedirect() and displaying the > requested file (from the Reports folder) to the browser. That's > fine. I > want to show the files from that folder only through the > application > and I have to configure my web server in such a way that it denies > requests if a User enters the file name manually like > http://localhost/WebApp/Reports/some-file.xls. Please help me if > you > have a solution for this. > > Thanks. > -Surya > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
