3

I'd like to know if anyone has a solution to access resources of a website through a servlet only. I have all my resources under WEB-INF. In other words, I don't want users to have direct access to any of my resources.

Improve this question

2 Answers 2

Reset to default
6

You can use ServletContext#getResource() for that.

URL resource = getServletContext().getResource("/WEB-INF/file.ext");
File file = new File(resource.getPath());
// ...

You can even use ServletContext#getResourceAsStream() to get an InputStream directly:

InputStream input = getServletContext().getResourceAsStream("/WEB-INF/file.ext");
// ...

As you can see in the examples, the ServletContext is available in servlets by the inherited GenericServlet#getServletContext() method.

That said, the phrase I don't want users to have direct access to any of my resources. is a bit contradicting. You're serving those resources by a servlet anyway? A servlet is directly accessible by URL. How is that different from "direct access"? Or do you just want to control the access based on some conditions? I'd say, a Filter is more suitable for this task.

Usually one would only fully hide the JSP files from direct access. In a Servlet which acts as front controller (according the MVC pattern) you could then forward requests to JSP files using RequestDispatcher#forward() which you in turn can obtain by ServletRequest#getRequestDispatcher().

request.getRequestDispatcher("/WEB-INF/page.jsp").forward(request, response);
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I thought the original question was saying, "I don't want users to be able to view resources in their browser by typing in a direct URL". Putting your files you want to prevent "direct access" into WEB-INF and having the servlet get access to the resource sounds like "best practice" to me.
@WineSoaked: usually the concern is JSP files only, because you would like to hide the views in a fully MVC-controlled application. But for static resources like CSS/HTML/Images/JS? No. The problem is to be solved differently. It's only unclear how since the actual functional requirement is unclear as well.
You make a good point. But what if the servlet is generating the resources at runtime (not unheard of in my experience, even though I disagree with the practice)? If there are fragments of these CSS/HTML/JS/etc. that are processed through a servlet, that's a plausible use. If, however, you're just funneling the bytes from WEB-INF to the browser without doing anything, then the servlet is playing a proxy role, for which it is ill-suited.
0

You can hide jsp from the end user. In fact, you don't even have to deploy original jsp files with your web application, you can precompile them:
http://tomcat.apache.org/tomcat-5.5-doc/jasper-howto.html#Web%20Application%20Compilation

And the only way to hide html/js/css files is not to use them. Anything that's sent to the browser can be viewed there.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.