How to deny direct url access to files on Jetty

Question

I'm running webapps on Jetty. I have set "dirAllowed" to "false" to disable the directory browsing on the defined contextpath by webAppContext.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false").

But, users can still access other files (not located on the contextpath) through url (eg. http://somehost.yahoo.com:8081/abc.xml ) and abc.xml is located under the root directory of the Jetty server.

Is there a way to block/deny direct url access to files located on Jetty? Thanks!

Answer 1

Not without adding some functionality to your webapp, there isn't. A Java Webapp is essentially a standardized directory structure beginning at the context root (myWebApp in the sample below).

myWebApp/
    index.jsp
    styles/
        mywebapp.css
    images/
        myimage.png
    WEB-INF/
        web.xml
        lib/
            MyLib.jar
        classes/
            MyPackage/
                MyServlet.class

Anything above WEB-INF is directly serve-able, anything below WEB-INF isn't. You could dream up some authorization scheme using Servlet Filters ( http://www.oracle.com/technetwork/java/filters-137243.html ) and restrict access to content above WEB-INF. Alternatively, if Authentication/Authorization is what you are after, look into Http Authorization and how it can be implemented in Jetty ( http://www.eclipse.org/jetty/documentation/current/configuring-security-authentication.html ). One way or another, you are going to be some coding or configuration to restrict access to the content above WEB-INF in a Java webapp.