How can Tomcat restrict access to a file in Apache?
I am using a Apache HTTP server as a reverse proxy in front of Tomcat.
I want to restrict access to some files that are located in Apache.
Authorization needs to be done in Tomcat.
I can think of two different ways this could happen.
1:
A client sends a request for a file to Apache and Apache could ask Tomcat for authorization.
If Tomcat gives the ok, then Apache should send the file in the response.
Otherwise a 403 Forbidden HTTP status code is sent to client.
2:
A client sends a request for a file to Tomcat. If the client is authorized,
then Tomcat would ask Apache to send the file. Otherwise a 403 Forbidden HTTP status code is sent to client.
How do I accomplish one or the other?
In my httpd.conf I have the following
Tomcat is listening on port 8080.
I want to restrict access to some files that are located in Apache.
Authorization needs to be done in Tomcat.
I can think of two different ways this could happen.
1:
A client sends a request for a file to Apache and Apache could ask Tomcat for authorization.
If Tomcat gives the ok, then Apache should send the file in the response.
Otherwise a 403 Forbidden HTTP status code is sent to client.
2:
A client sends a request for a file to Tomcat. If the client is authorized,
then Tomcat would ask Apache to send the file. Otherwise a 403 Forbidden HTTP status code is sent to client.
How do I accomplish one or the other?
In my httpd.conf I have the following
ProxyRequests off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /images !
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Location / >
Order allow,deny
Allow from all
</Location> Tomcat is listening on port 8080.
ASKER
gheist, please explain your suggestion. I can't understand what you are telling me to do.
The website is password protected. Anyone that browses to the welcome page must sign in with his id and password.
There will be many files and they will be uploaded from clients. So, listing them all is not possible.
If I did use a location tag as you posted for the directory, how would the files be served? Wouldn't "Deny all" prevent the files from being served? What does "ProxyPass !" do?
The website is password protected. Anyone that browses to the welcome page must sign in with his id and password.
There will be many files and they will be uploaded from clients. So, listing them all is not possible.
If I did use a location tag as you posted for the directory, how would the files be served? Wouldn't "Deny all" prevent the files from being served? What does "ProxyPass !" do?
Read the documentation.
ProxyPass allows forward proxy (not reverse proxy)
You need to program such denial into your web application. Apache has no clue what could eventually get uploaded.
ProxyPass allows forward proxy (not reverse proxy)
You need to program such denial into your web application. Apache has no clue what could eventually get uploaded.
ASKER
I have read the documentation. But, I don't understand a lot of it.
I am trying to understand your comments.
I am trying to understand your comments.
You need to program such denial into your web application.Yes, Tomcat knows who is authorized to view files. But, how can I get the Apache HTTP server to give access only to those clients that Tomcat authorizes? Each file needs to be accessible by a different subset of the members(clients) of the site.
You are floating off initial question. You got an example how to deny access to a single file.
Does it work?
In what format is the tomcat user and session database? It must be something apache authentication modules understand.
Does it work?
In what format is the tomcat user and session database? It must be something apache authentication modules understand.
ASKER
You are floating off initial question.
My initial question is
How can Tomcat restrict access to a file in Apache?That is what I asking.
You got an example how to deny access to a single file. Does it work?Your example shows how Apache can restrict access to a file. I need to have Tomcat decide who can access the file. Tomcat must tell Apache who is authorized.
In what format is the tomcat user and session database?What format are you talking about? My database is MySQL that is where Tomcat gets the data for authorization.
It must be something apache authentication modulesWhat modules are you talking about?
So you need to implement access restriction in TOMCAT. There is nothing apache can help you.
ASKER
So you need to implement access restriction in TOMCAT. There is nothing apache can help you.I have implemented access restriction in Tomcat.
Afterwards can the request be forwarded to Apache?
I know I can send a simple redirect to client, but that would mean that the file could be accessed without authorization and the clients could simply browse to the file without asking Tomcat.
For a redirection to work for me, Apache would have to require a token or something that was created by Tomcat before the redirection.
Apache handles requests first and forwards them to tomcat?
Why do you need apache at all? Do you have cluster of tomcat or what?
Why do you need apache at all? Do you have cluster of tomcat or what?
ASKER
Apache handles requests first and forwards them to tomcat?We are using Apache as a reverse proxy.
Why do you need apache at all?We are placing all image files in Apache's document root for performance reasons. We are also going to use Apache as a balancer for multiple Tomcat instances.
There is no performance improvement with apache over tomcat native in 1:1 scenario. With 2:2 it is worth measuring for consideration.
That bouls down to tomcat application making extra MySQL table in the form that apache auth_mysql understands.
That bouls down to tomcat application making extra MySQL table in the form that apache auth_mysql understands.
ASKER
Wouldn't mod_auth_mysql require that users enter their name and password into a authorization dialog box in order to access a file?
Users will be already logged in when they entered the website. I don't want to ask them for their password again to see each file.
Users will be already logged in when they entered the website. I don't want to ask them for their password again to see each file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, thanks for your time. I guess we will stream the image files through Tomcat.
Probably you need to use PHP or something that efficient to make your own CDN out of apahe or NGINX.
Basic denial:
<Location /images/pr0n.gif>
ProxyPass !
Order deny,allow
Deny all
</Location>