This question already has answers here:
Restrict JSP/Servlet access to specific users only
(2 answers)
Closed 3 years ago.
Hello!
I'm trying to figure out if there is a way to hide content, for instance a html file from browser users in Tomcat.
A servlet is to check if a password is correct and if so use response.sendRedirect("example.html").
Having the example.html directly in webapps/Application folder makes it accessible to anyone by typing http://whatev.com/Application/example.html
I seem to remember that files added in WEB-INF are hidden. But then I cant seem to redirect to them.
I guess the proper way is to use a Filter, but Im really curious if it can be easily done the way I imagine. It feels that in this day of age, having content so accessible by default and make it difficult to hide, rather then the other way around, feels weird. I bet I'm missing something obvious, thus the question :)
Thanks in advance!
Putting the pages into WEB-INF is the mostly used way how to do it, then there is accessible by default nearly nothing and the app decides about the fact which content is shown in which context in the application (so, also for which user). In the application you define the mapping of the url actions to such by default invisible pages - in the most of cases there are mostly some dynamically generated pages, not simple html. Mostly used way is to use some web application framework, which does it for you - like Spring framework, Struts or others.
You can also limit the access to the web application resources with the usage specific tomcat features like the definition of tomcat users and security roles - see for example this link or this example
Related
I work in a company where we have many different applications. To reduce code repetition and keep the experience for the users the same across applications we created a component library which is used by all applications.
Now we want to allow the users to switch between applications. Something similar like Google does:
Screenshot of Google Application Drawer
An additional requirement for our "Application Switcher" would be that it "updates" itself. Meaning if we change how this "Application Switcher" looks we don't want all applications which use this Switcher to create a new deployment and be newly deployed.
So currently we use the same header (from our component library) in all our applications. So, my idea was just to simply add a script tag to all the index.html pages of all the applications which should support this "Application Switcher". The Script would parse the DOM, find the header and inject a component for this application switcher. I wanted to host the actual script from a CDN like server and the script tag in the index.html just references this URL. This way we could change this script however we want, and all the applications will always get the latest version.
Now I did a small proof of concept in our environments and solved all the CORS issues but since we were fetching from an authenticated context and the script was also in an authenticated context I always got a 401.
Additionally, we have the requirement, that this "Application Switcher" shows different applications to different users i.e. depending on which apps a user is allowed to access. So, the script itself will also do calls to an "Application Switcher" backend providing it user-specific information.
Now this makes me think that my initial idea of just putting a script tag and fetching from a CDN was too simplistic. Now I'm thinking if it would be better to implement a rest endpoint in all applications to fetch this script. This way I don't have the problems of fetching a resource from an authenticated context from the user's browser and instead can handle all of this in the backend.
So long story short; I feel like a complete noob who just hacks around to get things working (or actually not working) and was wondering if any of the smart internet people out there (who might actually already have experience with this) could give me a hint what would be a clean way to implement this?
Currently I'm developing a Java 8 / JavaEE 7 Web application using JSF 2 with Primefaces 6.
As a part of this project, I have to build a module to fetch translations (messages in German and English) from a database to get a dynamically translated application since hard coding Strings simply isn't an option.
After two days of reading stuff about ResourceBundles, ResourceBundle.Controls and ResourceBundleControlProvider I completely lost understanding of the whole matter.
I found many possible solutions that were about two to three years old, which were always completely different, which is why I came to ask my question here. I know that there are some posts here that describe some cases but I would be glad if someone could help me understand this matter.
Could anyone explain the usual workflow or state-of-the-art method to solve my problem and give an explanation of the important classes used for the solution?
If anyone ever encounters the same issue as me, after days of searching and tinkering around I found a website that provides a very neat tutorial to achieve i18n in a JSF application with localized strings from a database.
This guide explains the needed steps one after another and worked pretty well for me.
https://zenidas.wordpress.com/recipes/database-resource-bundle-in-a-jsf-application/
The basic steps to be done are as follows:
Create the resource bundle extension that will delegate the resources lookup in a database control
Create the necessary extensions for different locales
Create the database tables and the corresponding JPA entities
Create the resource bundle control that will get the contents from the database
Define the resource bundle in the faces-config file
After those steps it should be possible to access the localized data from the database, if there are some difficulties I'd recommend to test the database access itself independent of the resource bundles.
Hopefully this will be useful to someone, someday.
Hi:
In our application,there are so many sub pages and menus,for example:
the main menu for the whole site:
Index/Document/News/SysConfig and etc.
And inside the Sysconfig page,there are also other menus like :
user managment,roles,logs... and etc.
Now we use the iframe to make the layout of the site,we change the related iframe's src attribute according to user's choice. but I wonder if this is a good idea?
I thought use the tempalte,for example the apache tiles in jsp and the masterpage in asp.net.
I wonder which is the best pratice?
Best Practice would be to go the templated route ...
I haven't really looked into web accessibility for a long time ... but in the past when I used to work on externally facing sites, using frames of any sort was a big no-no. Screen readers would have problems with frames including iframes. I'm not sure if the current generation of screen-readers handle them better.
There's also the search result/deep linking issues to consider. For example, will your google result link point directly to the page in the iframe? do you have to do a hack to redirect the user to the main page?
Also going the templated route may not be that difficult as long as you don't have a lot of content to migrate. There are fantastic content management solutions out there like Wordpress, or Drupal and Joomla if you have more complex needs.
I'm thinking if it's a good idea to have a Web app which doesn't require a site login. This is for something like a public wiki where you just want to jump in and create stuff but still have a way to control access.
Content can be read/edited by the content creator (or a few other people).
What would be good references or existing apps that implement something like this?
EDIT: The closest similar "no signup" site I could find was ImageShack though there you can't edit what you've already submitted.
I'm not too sure on the value of this type of a system. Once the password/key has been in circulation for x time, they will be rendered useless.
I recommend rather going for something that's more scalable and open, with a good example being OpenID. Here's a good library of implementations for it as well.
I redesigned a website that was using CMS Made Simple. It's a relatively small site and I'm learning as I go along, so I first built the redesign using just HTML but I'm now going to use PHP includes.
But I don't know how to integrate what I'm building into the CMS. I searched around the server and I can't find any traces of the pages built with CMSMS, so I assume that everything is contained somewhere within the CMS.
But I want something that will allow pages to be built and edited both inside and outside the CMS. If it's done outside, I want to be able to just FTP the new or changed content to the server.
Is this possible, and if so, what would be the best free CMS?
Thank you.
I don't know if I understood yout question, but I think you don't understand the concept of a CMS.
The redesign you made should only change the Theme/Style files, the content itself should be changed only in the administration of the CMS. What you may change from outside and FTP is only the theme files.
Things work this way so the person that put content in the site doesn't have do be a designer/developer.
BUT, there are some kind of CMS that may allow you to do what you want, but they are not completely free. Give it a look at CushyCMS and PageLime.
Since they intend to be a CMS for editing already made static sites, you may use it and if needed you can pull some page from FTP, edit it and then push it back.
You can try Template Externalizer http://dev.cmsmadesimple.org/projects/externalizer, which will give you FTP Access to Edit different content blocks, all templates, css and some content. I'm sure it will make your life easier when developing or integrating HTML into the page.
Template Externalizer, "watches" a FTP folder. and when you upload files onto the server, it saves the changes into the database making your change visible right away.
The files willl be located here: CMSROOT-INSTALLATION-PLACE/tmp/externalizer/
I hope this helps a bit.