Tomcat – Apache Tomcat directory access, restricted and accessible only by web application

.htaccessapache-2.2tomcat

I have a Grails app. I want to move out all the images users upload to a directory outside of my web-app directory, somewhere else on the disk. Then I want to allow my application to serve them on pages but users can't access the directory. I know one way if to use an ImageController that reads the image and streams it to the view, but that has some trades-off such as caching. I was wondering if there is a way to allow apache to serve images from a local directory outside the web-app and restrict it to the app only.

Best Answer

I tried this, and it worked. But It also allows the client to access it since it only maps it. But again I appreciate if anyone can elaborate more and offer another solution that provides more control over how web app and users can access this area.

basically added this in Tomcat /conf/server.xml inside <Host> tag:

<Context docBase="/path/to/images" path="/images" />

Found out that someone answered something like what I needed here : Simplest way to serve static data

Related Solutions

Web-server – Media server and Web server — same IP address, how to set this up

This is done regularly. We have dozens of websites all running on the one IP address, and it's not uncommon to run hundreds. Your web server will inspect the hosts header of the request and serve appropriately.

There are two methods to implement this, and they're both the same, but for different web servers. You did not specify which one you used, so here's the three most common:

IIS 5/6

Right-click on your website and go to Properties. Next to "IP Address" (on the Web Site tab), click Advanced. You will see an entry in there for Port 80, with no Host Header Name. Delete this entry.

Click Add, and under TCP Port leave it at 80 (or 443 for SSL), and under Host Header Name enter the name of the website (for example, mediaserver.mysite.com - although example.com is a reserved name exactly for this purpose but never mind). Click OK, and OK to the next screen And you're done. You can now access that website through mediaserver.mysite.com (and only through that, it won't listen on the IP alone any more).

IIS 7

Same as IIS 5/6 except instead of right-clicking the website, you just select it and on the right-hand side menu choose "Bindings"

Apache

I don't configure apache very often, so my memory is very fuzzy, but you use the name-based VirtualHost directive in your httpd.conf. From the apache example documentation:

NameVirtualHost *

<VirtualHost *>
ServerName www.domain.tld
DocumentRoot /www/domain
</VirtualHost>

(I recommend reading the rest of that documentation page if you are using Apache).

Security – Protected Apache web sub-directory asks for password twice

The problem turned out to be the different AuthName value for the two directories. I thought that its sole purpose is to provide a meaningful prompt to the user. Having read the documentation again, it turns out it has another purpose: the browser will automatically try the same credentials for directories with the same AuthName.

So what was happening in my case was that after having authenticated to /stuff/admin the browser would request /stuff/something-else, it would get a "401 Unauthorized" response, but it wouldn't even try the same credentials. After I changed the AuthName to be the same it automatically responded to the 401 by retrying with the "admin" username that I previously authenticated with, which worked.

Best Answer

Related Solutions

Web-server – Media server and Web server — same IP address, how to set this up

Security – Protected Apache web sub-directory asks for password twice

Related Topic