Issue
I want to know how to block access to the static content folders in my web-app. right the folders are in inside the web-root folder in the war. like so:
myapp/ -css/ -js/ -swf/ : WEB-INF/
I want the content to be visible only from the application when user is in a session. The content should be blocked if someone hits the url outside his/her session (after it has expired).
Its a groovy-grails app with spring and we are using tomcat server.
Solution
- Normally, files under /WEB-INF are not accessible directly from outside. It is good practise to keep such files under /WEB-INF.
Securing using Web Security constraints. Here is the sample for restricting your folders:
<security-constraint> <web-resource-collection> <web-resource-name >precluded methods</web-resource-name> <url-pattern >/css/*</url-pattern> <url-pattern >/js/*</url-pattern> <url-pattern >/swf/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
Most of the app servers have the support of masking the files or directories to the outside world. Please check their documentations.
Answered By - Ramesh PVK
Answer Checked By - Katrina (JavaFixing Volunteer)