Protecting Static Content Served by Apache

Question

Protecting Static Content Served by Apache

I have a Tomcat server running RESTful Jersey services and I use Apache to host static content. Static content is mostly empty and content is populated through RESTful calls, but apart from the login page, I don't want anyone to be able to directly view other static pages. We have an authentication servlet that filters any requests for REST services, but I was wondering how best to handle static content. I would prefer not to use static content via Tomcat, if at all possible.

Edit: I should mention that only the login page should be accessible directly, without the need to filter, etc.

+3

rest tomcat apache

John s Apr 23 '12 at 1:26

source share

1 answer

clmarquart · Accepted Answer · 2012-04-25T15:57:15+0000

The first idea that comes to mind will be installation Cookiewhen the user authenticates to check it in Apache using mod_rewrite.

Not sure if this works for you though ...

Let me know if you need an example RewriteRule.

EDIT - example rule:

Assuming that the static content is in the directory /static/, the following should result 401 Forbiddenif the user is not logged in (as a result, the cookie matters authenticated=true)

RewriteEngine on

RewriteCond %{REQUEST_URI} ^\/static\/
RewriteCond %{HTTP_COOKIE} !authenticated=true
RewriteRule .* - [L,F]

I used this method to direct mobile traffic, but not to limit protected content, so I would recommend a thorough test.

Hope this helps.

Protecting Static Content Served by Apache

More articles: