-1

I have a java web application where images are stored in a folder.

Now the problem is, User able to access the images with URL as below.

http://localhost/Webapplication/images/image.jpg

I want to block the direct URL access of the images files which resides in the image folder of the web application. But these images should be displayed via htlm pages.

I am running on JBoss application server, already googled about this but ended up with the .htaccess solution which is not helping in my java application. Any help would be a much appreciated. Thanks

alessandrio
  • 4,282
  • 2
  • 29
  • 40
Balan
  • 13
  • 5
  • Possible duplicate of [.htaccess not working apache-tomcat](https://stackoverflow.com/questions/10528552/htaccess-not-working-apache-tomcat) – Raptor Jun 01 '17 at 04:43
  • Are these images shown on the html pages? – Nurjan Jun 01 '17 at 04:43
  • Can you consider redirect as an option? – harshavmb Jun 01 '17 at 04:46
  • yes. These images are shown in html pages. If I restrice the access via security-constrains tag in web.xml, it also forbids images to be displayed via html pages @Nurzhan – Balan Jun 01 '17 at 05:02
  • No I guess redirect won't solve my problem @harshavmb – Balan Jun 01 '17 at 05:04
  • @Balan, I don't really understand the point of blocking direct access to images if they are displayed on html pages. – Nurjan Jun 01 '17 at 05:07
  • I have basic form authentication in my web application, and want the images to be displayed only if the user is authenticated. Now without authentication, user able to view the image with url @Nurzhan – Balan Jun 01 '17 at 05:16

1 Answers1

0
  - You just used AuthenticationFilter in you Application.
  - AUTH_KEY is define LoginController to get userId
  - @Secured is defined web.xml file for filter this path.
  - @/Secured/temp/ is defined for image in my project directory.
  - @/Secured/login.xhtml is defined after servlet configure initial it will    login.xhtml redirect.

Follow bellow code:

import java.io.IOException;
import javax.faces.application.ResourceHandler;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
*
 * @author Md. Amran Hossain
*/
@WebFilter("/Secured/*")
public class AuthenticationFilter implements Filter {

    private FilterConfig config;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        this.config = filterConfig;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse    response,     FilterChain chain) throws IOException, ServletException {
    if (((HttpServletRequest) request).getSession().getAttribute(LoginController.AUTH_KEY) == null
            && !((HttpServletRequest) request).getRequestURI().endsWith("/Secured/login.xhtml")
            && !((HttpServletRequest) request).getRequestURI().contains("/Secured/temp/")
            && !((HttpServletRequest) request).getRequestURI().startsWith(((HttpServletRequest) request).getContextPath() + "/Secured" + ResourceHandler.RESOURCE_IDENTIFIER)) {
        ((HttpServletResponse) response).sendRedirect(((HttpServletRequest) request).getContextPath() + "/Secured/login.xhtml");
    } else {
        chain.doFilter(request, response);
    }
}

@Override
public void destroy() {
    this.config = null;
}
}

put this configuration in web.xml

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/Secured/*</url-pattern>
</servlet-mapping>
amran_bd
  • 152
  • 2
  • 12