Thanks to everyone in advance -
How would I go about disabling access via the browser by filetype?
For instance if I wanted to disable all access to .xml files how would I go about doing this?
Thanks
A:
Hi Sam,
As far as I know there is no straightforward solution for this. At the end of this post, it is explained how you can use JDBCRealm to create a security context around some files of your election. If a user tries to access a file that match your pattern (in your case *.xml), they would be redirected to a login or an error page.
jdecuyper
2009-07-21 21:11:25
+1
A:
I wanted an answer to this myself, and wasn't satisfied with the JDBCRealm answer.
The default hidden folders "WEB-INF" and "META-INF" are hard coded in the Static Resource logic, so using the same mechanism seems prohibitively difficult. You'd have to replace or modify some combination of DefaultServlet, StandardContext, and StandardContextValve. It's a mess.
But there are two simple ways I tried that accomplish the filtering you're after.
Using a Filter
You can write a generic Servlet Filter to return 404 errors for any file matching some list. You could setup that list as Environment Entries in context.xml, in a properties file on the classpath, stored in a database, or whatever your preference (even as hard-coded Strings, if you're some sort of masochist).
Using a Valve (Tomcat-specific)
Tomcat Valves accomplish pretty much the same thing as Filters, but at a lower level. They are not part of the Servlet Spec, so your app wont be portable to other Servlet Containers. Also, in my experiments with this, sending 404 responses do not go through the same channel as 404 responses sent normally in your application (e.g., if you setup custom 404 pages or handlers, they aren't used when a 404 returns from a Valve)
drfloob
2009-09-11 20:59:51