diff --git a/uberfire-server/src/main/java/org/uberfire/server/BaseFilteredServlet.java b/uberfire-server/src/main/java/org/uberfire/server/BaseFilteredServlet.java
@@ -0,0 +1,66 @@
+package org.uberfire.server;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.uberfire.io.regex.AntPathMatcher;
+import org.uberfire.java.nio.file.Path;
+
+import static javax.servlet.http.HttpServletResponse.*;
+
+public abstract class BaseFilteredServlet extends HttpServlet {
+
+    private static final Logger logger = LoggerFactory.getLogger( BaseFilteredServlet.class );
+
+    protected Collection<String> includes = new ArrayList<String>();
+    protected Collection<String> excludes = new ArrayList<String>();
+
+    @Override
+    public void init( final ServletConfig config ) throws ServletException {
+        final String _includes = config.getInitParameter( "includes-path" );
+        if ( _includes != null && !_includes.trim().isEmpty() ) {
+            includes.addAll( Arrays.asList( _includes.split( "," ) ) );
+        }
+        final String _excludes = config.getInitParameter( "excludes-path" );
+        if ( _excludes != null && !_excludes.trim().isEmpty() ) {
+            excludes.addAll( Arrays.asList( _excludes.split( "," ) ) );
+        }
+    }
+
+    protected boolean validateAccess( final URI uri,
+                                      final HttpServletResponse response ) {
+        if ( !AntPathMatcher.filter( includes, excludes, uri ) ) {
+            logger.error( "Invalid credentials to path." );
+            try {
+                response.sendError( SC_FORBIDDEN );
+            } catch ( Exception ex ) {
+                logger.error( ex.getMessage() );
+            }
+            return false;
+        }
+        return true;
+    }
+
+    protected boolean validateAccess( final Path path,
+                                      final HttpServletResponse response ) {
+        if ( !AntPathMatcher.filter( includes, excludes, path ) ) {
+            logger.error( "Invalid credentials to path." );
+            try {
+                response.sendError( SC_FORBIDDEN );
+            } catch ( Exception ex ) {
+                logger.error( ex.getMessage() );
+            }
+            return false;
+        }
+        return true;
+    }
+
+}
diff --git a/uberfire-server/src/main/java/org/uberfire/server/FileDownloadServlet.java b/uberfire-server/src/main/java/org/uberfire/server/FileDownloadServlet.java
@@ -2,11 +2,9 @@
 
 import java.io.IOException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -15,37 +13,46 @@
 import org.uberfire.io.IOService;
 import org.uberfire.java.nio.file.Path;
 
+import static java.lang.String.*;
+
 public class FileDownloadServlet
-        extends HttpServlet {
+        extends BaseFilteredServlet {
 
-    private static final Logger logger = LoggerFactory.getLogger(FileDownloadServlet.class);
+    private static final Logger logger = LoggerFactory.getLogger( FileDownloadServlet.class );
 
     @Inject
     @Named("ioStrategy")
     private IOService ioService;
 
     @Override
-    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+    protected void doGet( HttpServletRequest request,
+                          HttpServletResponse response )
             throws ServletException, IOException {
 
         try {
 
-            Path path = ioService.get(new URI(request.getParameter("path")));
+            final URI uri = new URI( request.getParameter( "path" ) );
+
+            if ( !validateAccess( uri, response ) ) {
+                return;
+            }
+
+            final Path path = ioService.get( uri );
 
-            byte[] bytes = ioService.readAllBytes(path);
+            byte[] bytes = ioService.readAllBytes( path );
 
-            response.setHeader("Content-Disposition",
-                    String.format("attachment; filename=%s;", path.getFileName().toString()));
+            response.setHeader( "Content-Disposition",
+                                format( "attachment; filename=%s;", path.getFileName().toString() ) );
 
-            response.setContentType("application/octet-stream");
+            response.setContentType( "application/octet-stream" );
 
             response.getOutputStream().write(
                     bytes,
                     0,
-                    bytes.length);
+                    bytes.length );
 
-        } catch (URISyntaxException e) {
-            logger.error("Failed to download a file.", e);
+        } catch ( final Exception e ) {
+            logger.error( "Failed to download a file.", e );
         }
 
     }

diff --git a/uberfire-server/src/main/java/org/uberfire/server/FileUploadServlet.java b/uberfire-server/src/main/java/org/uberfire/server/FileUploadServlet.java
@@ -7,7 +7,6 @@
 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -23,73 +22,90 @@
 import org.uberfire.java.nio.file.Path;
 
 public class FileUploadServlet
-        extends HttpServlet {
+        extends BaseFilteredServlet {
 
-    private static final Logger logger = LoggerFactory.getLogger(FileUploadServlet.class);
+    private static final Logger logger = LoggerFactory.getLogger( FileUploadServlet.class );
 
     @Inject
     @Named("ioStrategy")
     private IOService ioService;
 
     @Override
-    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+    protected void doPost( HttpServletRequest request,
+                           HttpServletResponse response ) throws ServletException, IOException {
 
         try {
-            if (request.getParameter("path") != null) {
-                writeFile(ioService.get(new URI(request.getParameter("path"))), getFileItem(request));
+            if ( request.getParameter( "path" ) != null ) {
+
+                final URI uri = new URI( request.getParameter( "path" ) );
+
+                if ( !validateAccess( uri, response ) ) {
+                    return;
+                }
+
+                writeFile( ioService.get( uri ), getFileItem( request ) );
+
+                writeResponse( response, "OK" );
+            } else if ( request.getParameter( "folder" ) != null ) {
+
+                final URI uri = new URI( request.getParameter( "folder" ) + "/" + request.getParameter( "fileName" ) );
+
+                if ( !validateAccess( uri, response ) ) {
+                    return;
+                }
 
-                writeResponse(response, "OK");
-            } else if (request.getParameter("folder") != null) {
                 writeFile(
-                        ioService.get(new URI(request.getParameter("folder") + "/" + request.getParameter("fileName"))),
-                        getFileItem(request));
+                        ioService.get( uri ),
+                        getFileItem( request ) );
 
-                writeResponse(response, "OK");
+                writeResponse( response, "OK" );
             }
 
-        } catch (FileUploadException e) {
-            logError(e);
-            writeResponse(response, "FAIL");
-        } catch (URISyntaxException e) {
-            logError(e);
-            writeResponse(response, "FAIL");
+        } catch ( FileUploadException e ) {
+            logError( e );
+            writeResponse( response, "FAIL" );
+        } catch ( URISyntaxException e ) {
+            logError( e );
+            writeResponse( response, "FAIL" );
         }
     }
 
-    private FileItem getFileItem(HttpServletRequest request) throws FileUploadException {
-        Iterator iterator = getServletFileUpload().parseRequest(request).iterator();
-        while (iterator.hasNext()) {
+    private FileItem getFileItem( HttpServletRequest request ) throws FileUploadException {
+        Iterator iterator = getServletFileUpload().parseRequest( request ).iterator();
+        while ( iterator.hasNext() ) {
             FileItem item = (FileItem) iterator.next();
-            if (!item.isFormField()) {
+            if ( !item.isFormField() ) {
                 return item;
             }
         }
         return null;
     }
 
-    private void writeResponse(HttpServletResponse response, String ok) throws IOException {
-        response.setContentType("text/html");
-        response.getWriter().write(ok);
+    private void writeResponse( HttpServletResponse response,
+                                String ok ) throws IOException {
+        response.setContentType( "text/html" );
+        response.getWriter().write( ok );
     }
 
     private ServletFileUpload getServletFileUpload() {
         FileItemFactory factory = new DiskFileItemFactory();
-        ServletFileUpload upload = new ServletFileUpload(factory);
-        upload.setHeaderEncoding("UTF-8");
+        ServletFileUpload upload = new ServletFileUpload( factory );
+        upload.setHeaderEncoding( "UTF-8" );
         return upload;
     }
 
-    private void writeFile(Path path, FileItem uploadedItem) throws IOException {
-        if (!ioService.exists(path)) {
-            ioService.createFile(path);
+    private void writeFile( Path path,
+                            FileItem uploadedItem ) throws IOException {
+        if ( !ioService.exists( path ) ) {
+            ioService.createFile( path );
         }
 
-        ioService.write(path, IOUtils.toByteArray(uploadedItem.getInputStream()));
+        ioService.write( path, IOUtils.toByteArray( uploadedItem.getInputStream() ) );
 
         uploadedItem.getInputStream().close();
     }
 
-    private void logError(Throwable e) {
-        logger.error("Failed to upload a file.", e);
+    private void logError( Throwable e ) {
+        logger.error( "Failed to upload a file.", e );
     }
 }