I have an application which uploads files via a web form, and stores information about the files (size, path info etc.) in a db2 table, and then writes the files to a directory in the file system. Users can download these files via links displayed in a jsp. My problem is how to limit access to the files to only the correct group of users, since the files with technically lie outside the application in a different directory. There is no problem limiting access to the jsps which display the links, but there is nothing to stop a user (who has the right url) from accessing the files directly. Currently the application uses a .htaccess file and leaves it up to the web server to limit access to the files, but this approach is only good for one group of users. We need something more dynamic where different users will have access to different files. Any suggestions are appreciated!
Joined: Jan 29, 2003
Can you give the users NO access to the actual file directory and download the files through a servlet? That changes the files from static content to dynamic content. Then the servlet could check user roles or permissions against attributes in your file meta-data before downloading.
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Joined: Dec 14, 2004
Yes that might be a possibility. How would you go about downloading the files using a servlet?
Joined: Dec 29, 2004
I think you would set a value in the link and catch that in the doPost, doGet methods. You would then map that 'key' to that actual location, in the file system, of the file.