问题
I want to know how to block access to the static content folders in my web-app. right the folders are in inside the web-root folder in the war. like so:
myapp/
-css/
-js/
-swf/
:
WEB-INF/
I want the content to be visible only from the application when user is in a session. The content should be blocked if someone hits the url outside his/her session (after it has expired).
Its a groovy-grails app with spring and we are using tomcat server.
回答1:
- Normally, files under /WEB-INF are not accessible directly from outside. It is good practise to keep such files under /WEB-INF.
Securing using Web Security constraints. Here is the sample for restricting your folders:
<security-constraint> <web-resource-collection> <web-resource-name >precluded methods</web-resource-name> <url-pattern >/css/*</url-pattern> <url-pattern >/js/*</url-pattern> <url-pattern >/swf/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>Most of the app servers have the support of masking the files or directories to the outside world. Please check their documentations.
Tomcat Documentation
回答2:
You would need to either:
- Stream them back yourself after doing a session check
- Put a regular
Filteron those paths that check for a valid user in session
来源:https://stackoverflow.com/questions/8115132/blocking-access-to-static-content-folders