Protecting static files?
Hi
I've got an unusual situation where I need to protect some of the static images on my site from unauthorized access. Is there any way of doing this transparently? A not-so-elegant way would be to block off access to the web directory that serves them and have these images delivered by a servlet instead, but I'd like to avoid this.
(i.e. I would rather not have to change every occurence of this
<img src=http://blah.blah.com/static_images/image1.jpg
to this
><img src=http://blah.blah.com/getImage.jsp?file=image1.jpg )
For example, is there some way of tying together Web Server authentication (i'm using iPlanet specifically) with the sessionID used by the app server and denying access to these assets at the web server itself?
I'd really appreciate any help/ideas on this...>
> (i.e. I would rather not have to change every occurence of this
> src=http://blah.blah.com/static_images/image1.jpg
> to this
> src=http://blah.blah.com/getImage.jsp?file=image1.jpg
You don't have to : just specify your servlet mapping accordingly in your Web.xml:
<servlet-mapping>
<servlet-name>ImageAccessControlServlet</servlet-name>
<url-pattern>/static_images/*</url-pattern>
</servlet-mapping>
If iPlanet is not itself the App Server, you can configure it to forward relevant requests to the AppServer: I don't know all the details, but it's something you can configure as an <Object> entry in iPlanet's obj.conf configuration file.
There are several ways of doing this. You could use the Servlet APIs security option, but that requires a bit of work to setup. You could write a servlet to serve up your images, but that requires a bit of work also.
I suggest writting one Filter to check is the user is authorized. Keep in mind if you need to access the Session from a Filter, you need to check/cast the ServletRequest to an HttpServletRequest object before calling getSession(). If the security check passes, call chain.doFilter(). If not, send an error code back or forward to a URL, it's up to you.
Using the <filter> tag in web.xml, you can declare the Filter and the container will create one instance of the Filter for you. Next, for each image you want to protect, declare a <filter-mapping> tag in web.xml. Use the name of the filter from the <filter> tag and the url of the image for the <url-pattern> tag. Now, for each request for the image your Filter will be called first. This allows you to 'plug' in this quick security check for any URL (HTML, Image, servlet, jsp) simply by adding the tag in web.xml.
