I'd like to know if anyone has a solution to access resources of a website through a servlet only. I have all my resources under WEB-INF. In other words, I don't want users to have direct access to any of my resources.
+1
A:
You can use ServletContext#getResource() for that.
URL resource = getServletContext().getResource("/WEB-INF/file.ext");
File file = new File(resource.getPath());
// ...
You can even use ServletContext#getResourceAsStream() to get an InputStream directly:
InputStream input = getServletContext().getResourceAsStream("/WEB-INF/file.ext");
// ...
As you can see in the examples, the ServletContext is available in servlets by the inherited GenericServlet#getServletContext() method.
That said, the phrase I don't want users to have direct access to any of my resources. is a bit contradicting. You're serving those resources by a servlet anyway? A servlet is directly accessible by URL. How is that different from "direct access"? Or do you just want to control the access based on some conditions? I'd say, a Filter is more suitable for this task.
Usually one would only fully hide the JSP files from direct access. In a Servlet which acts as front controller (according the MVC pattern) you could then forward requests to JSP files using RequestDispatcher#forward() which you in turn can obtain by ServletRequest#getRequestDispatcher().
request.getRequestDispatcher("/WEB-INF/page.jsp").forward(request, response);
BalusC
2010-05-09 02:28:21
I thought the original question was saying, "I don't want users to be able to view resources in their browser by typing in a direct URL". Putting your files you want to prevent "direct access" into WEB-INF and having the servlet get access to the resource sounds like "best practice" to me.
WineSoaked
2010-05-09 02:36:00
@WineSoaked: usually the concern is JSP files only, because you would like to hide the views in a fully MVC-controlled application. But for static resources like CSS/HTML/Images/JS? No. The problem is to be solved differently. It's only unclear *how* since the actual functional requirement is unclear as well.
BalusC
2010-05-09 02:37:33
You make a good point. But what if the servlet is generating the resources at runtime (not unheard of in my experience, even though I disagree with the practice)? If there are fragments of these CSS/HTML/JS/etc. that are processed through a servlet, that's a plausible use. If, however, you're just funneling the bytes from WEB-INF to the browser without doing anything, then the servlet is playing a proxy role, for which it is ill-suited.
WineSoaked
2010-05-09 03:11:14
A:
You can hide jsp from the end user. In fact, you don't even have to deploy original jsp files with your web application, you can precompile them:
http://tomcat.apache.org/tomcat-5.5-doc/jasper-howto.html#Web%20Application%20Compilation
And the only way to hide html/js/css files is not to use them. Anything that's sent to the browser can be viewed there.
Nikita Rybak
2010-05-09 02:47:53