3

I have a web application and Tomcat, like server for it. I put my web app in the folder: $(TOMCAT_HOME)/webapps/myapp and my images to the $(TOMCAT_HOME)/webapps/images And I wrote next in the tomcat's server.xml

<Context path="/images" docBase="c:/servers/apache-tomcat-7.0.29/webapps/images"/>

It works OK. But, I wanna to secure the folder. I mean, I want to banned access to the folder if user is not logged in my application. How can I do it?

Brian Tompsett - 汤莱恩
  • 5,195
  • 62
  • 50
  • 120
Andrew
  • 625
  • 2
  • 10
  • 20

2 Answers2

1

You're going to need to put a in your deployment descriptor. Something along the lines of this:

<security constraint>
    <web-resource-collection>
        <web-resource-name>Images</web-resource-name>
        <url-pattern>/images/*</url-pattern>
        <http-method>POST</http-method>

    <web-resource-collection>

    <auth-constraint>
        <role-name>Admin</role-name>
        <role-name>Member</role-name>
    </auth-constraint>

</security-constraint>

<security-role><role-name>Admin</role-name></security-role>
<security-role><role-name>Member</role-name></security-role>
<security-role><role-name>Guest</role-name></security-role>

You will then need to define the user roles in a tomcat-users.xml file:

<tomcat-users>
    <role rolename=”Admin”/>
    <role rolename=”Member”/>
    <role rolename=”Guest”/>
    <user username=”Conor” password=”admin” roles=”Admin, Member, Guest” />
    <user username=”SomebodyElse” password=”coder” roles=”Member, Guest” />
    <user username=”Andrew” password=”newbie” roles=”Guest” />
</tomcat-users>
Conor Pender
  • 981
  • 1
  • 13
  • 30
  • Edited to include security-role element. – Conor Pender Jul 12 '12 at 12:59
  • Thank you 4 answer. But, could you please explain. If I add the **** to my **app's** **web.xml** How is it help me? The web.ml has access only in the application folder. For example: my app is on URL: `http://localhost:8080/myapp/start.jsp` and my images are on URL: `http://localhost:8080/images/img/ef8e1b70541a.jpg` How the **web.xml** from myapp can control access to the folder? – Andrew Jul 12 '12 at 13:46
  • Your web.xml can only limit access to resources within that project, so it can't define rules for the images folder where it is(to the best of my knowledge). Would it be feasible for you to move the images to "http://localhost:8080/myapp/images/kitten.jpg" ? – Conor Pender Jul 12 '12 at 14:18
  • Here is what oracle say on the matter: http://docs.oracle.com/javaee/5/tutorial/doc/bncbx.html#bncck – Conor Pender Jul 12 '12 at 14:22
  • Unfortunately, no. I can't move images into **webapp** :( If it would so, I will not ask the question on the forum :) – Andrew Jul 12 '12 at 14:25
0

I know this question is a bit old, for anyone coming to this post, I faced a similar problem and found a workaround,

Tomcat 7 - Secure a folder under webapps folder

Community
  • 1
  • 1
SyAu
  • 1,599
  • 7
  • 23
  • 44