How can Tomcat restrict access to a file in Apache?

I am using a Apache HTTP server as a reverse proxy in front of Tomcat.
I want to restrict access to some files that are located in Apache.
Authorization needs to be done in Tomcat.
I can think of two different ways this could happen.
1:
A client sends a request for a file to Apache and Apache could ask Tomcat for authorization.
If Tomcat gives the ok, then Apache should send the file in the response.
Otherwise a 403 Forbidden HTTP status code is sent to client.
2:
A client sends a request for a file to Tomcat. If the client is authorized,
then Tomcat would ask Apache to send the file. Otherwise a 403 Forbidden HTTP status code is sent to client.

How do I accomplish one or the other?  

In my httpd.conf I have the following
ProxyRequests off
ProxyPreserveHost On
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>
ProxyPass /images !
ProxyPass / http://localhost:8080/
ProxyPassReverse /  http://localhost:8080/
<Location / >
    Order allow,deny
    Allow from all
</Location>   

Open in new window

The files are in the images directory(a subdirectory of Apache's document root).
Tomcat is listening on port 8080.
LVL 28
rrzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
You make public open proxy with Proxy * + Allow all
Basic denial:


<Location /images/pr0n.gif>
 ProxyPass !
 Order deny,allow
 Deny all
</Location>
rrzAuthor Commented:
gheist,  please explain your suggestion.  I can't understand what you are telling me  to do.
The website is password protected.  Anyone that browses to the welcome page must  sign in with his id and password.
There will be many files and they will be uploaded from clients. So, listing them all is not possible.
If I did use a location tag as you posted for the directory, how would the files be served?  Wouldn't  "Deny all" prevent the files from being served?  What does "ProxyPass !" do?
gheistCommented:
Read the documentation.
ProxyPass allows forward proxy (not reverse proxy)

You need to program such denial into your web application. Apache has no clue what could eventually get uploaded.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

rrzAuthor Commented:
I have read the documentation. But, I don't understand a lot of it.
I am trying to understand your comments.  
You need to program such denial into your web application.
Yes, Tomcat knows who is authorized to view files. But, how can I get the Apache HTTP server to give access only to those clients that Tomcat authorizes? Each file needs to be accessible by a different subset of the members(clients) of the site.
gheistCommented:
You are floating off initial question. You got an example how to deny access to a single file.
Does it work?
In what format is the tomcat user and session database? It must be something apache authentication modules understand.
rrzAuthor Commented:
You are floating off initial question.

My initial  question is
How can Tomcat restrict access to a file in Apache?
That is what I asking.
You got an example how to deny access to a single file.  Does it work?
 Your example  shows how Apache can restrict access to a file. I need to have Tomcat  decide who can access the file. Tomcat must tell Apache who is authorized.  
In what format is the tomcat user and session database?
 What format are you talking about? My database is MySQL that is where Tomcat gets the data for authorization.
It must be something apache authentication modules
What modules are you talking about?
gheistCommented:
So you need to implement access restriction in TOMCAT. There is nothing apache can help you.
rrzAuthor Commented:
So you need to implement access restriction in TOMCAT. There is nothing apache can help you.
I have implemented access restriction in Tomcat.
Afterwards can the request be forwarded to Apache?
I know I can send a simple redirect to client, but that would mean that the file could be accessed without authorization and the clients could simply browse to the file without asking Tomcat.  
For a redirection to work for me,  Apache would have to require  a token or something that was created by Tomcat before the redirection.
gheistCommented:
Apache handles requests first and forwards them to tomcat?
Why do you need apache at all? Do you have cluster of tomcat or what?
rrzAuthor Commented:
Apache handles requests first and forwards them to tomcat?
We are using Apache as a reverse proxy.
Why do you need apache at all?
We are placing all image files in Apache's document root for performance reasons. We are also going to use Apache as a balancer for multiple Tomcat instances.
gheistCommented:
There is no performance improvement with apache over tomcat native in 1:1 scenario. With 2:2 it is worth measuring for consideration.

That bouls down to tomcat application making extra MySQL table in the form that apache auth_mysql understands.
rrzAuthor Commented:
Wouldn't  mod_auth_mysql  require that users enter their name and password into a authorization dialog box in order to access a file?
Users will be already logged in when they entered the website. I don't want to ask them for their password again to see each file.
gheistCommented:
So serve them from Tomcat as there is no performance damage whatsoever.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rrzAuthor Commented:
Ok, thanks for your time.  I guess we will stream the image files through Tomcat.
gheistCommented:
Probably you need to use PHP or something that efficient to make your own CDN out of apahe or NGINX.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.