my dog learned polymorphism*
The moose likes Servlets and the fly likes Downloads through servlets,only after authorization ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Downloads through servlets,only after authorization ?" Watch "Downloads through servlets,only after authorization ?" New topic
Author

Downloads through servlets,only after authorization ?

Gagan Indus
Ranch Hand

Joined: Feb 28, 2001
Posts: 346
Hi
Consider following problem :
- We have some files in doc/html/pdf format to be downloaded by user.
- Only registered user should have access to these.
- A authentication servlet , takes username & password , and after verifying these , saves a Boolean-object in http-session as 'RightToDownload' with value true.
Now is there any foolproof-way , by which a servlet could be written , which will allow download only if Boolean-object in session is True ?
( like , user can always access files by static URL say www.sample.com/docs/file.pdf . How to avoid this . Do the servlet need to generate these downloadable-docs at runtime? or any other way possible)
plz help .

------------------
Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .


Gagan (/^_^\) SCJP2 SCWCD IBM486 <br />Die-hard JavaMonk -- little Java a day, keeps you going.<br /><a href="http://www.objectfirst.com/blog" target="_blank" rel="nofollow">My Blog</a>
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
If you can use servlet security, then that's the nicest ways to go about it. When a user has been authenticated, (s)he is represented by a Principal (HttpServletRequest.getUserPrincipal()) which can be in one or more roles (HttpServletRequest.isUserInRole()). You can use the declarative security settings in web.xml to limit access to your download URLs to those users who are in the "DOWNLOADER" role.
So far, so good. But there's a catch - I bet you saw it coming Sun IMHO left too much of the security implementation to the container vendor. If you want to, say, programatically add users to the system, you have to use container-specific API; the servlet spec doesn't have any.
The alternative is the DIY method. Let's say that a request comes in for "/downloads/docs/secret.pdf". One way to implement it would be:
  • Put secret.pdf in a path that is inaccessible through server - (a) /WEB-INF/downloads or (b) a "normal" path such as "/downloads" protected by security constraints as mentioned above. If your downloads change frequently, (c) store it in a database, or (d) some safe place on the filesystem outside the server directories. Remember, some application servers can work straight from a WAR or store the WAR in a database, and you may not want to redeploy every time you add a new download.
  • Map a download servlet to "/downloads/*".
  • This download servlet uses HttpServletRequest.getPathInfo() to get the extra path information in the request, in this case "/docs/secret.pdf".
  • It then checks the user privileges to see if the given download can be accessed.
  • (a,b) Prepend the location of the downloads directory, say "/WEB-INF/downloads", to give "/WEB-INF/downloads/docs/secret.pdf". (c) If you use a database you can use the extra path information to locate the download in a table; (d) if you use the filesystem you can simply prepend a filesystem path.
  • (a,b) Get a URL for the pdf using ServletContext.getResource() (typically, this is a file:// URL, but it does not have to be), open the URL and serve up the result. (c) If you're using a database to store the downloads you'd probably be using JDBC at this step; (d) if you're using the filesystem you can simply open a FileInputStream.
  • HTH
    - Peter
Gagan Indus
Ranch Hand

Joined: Feb 28, 2001
Posts: 346
Thankxxxxxxxxxx Peter
You are loads-of-help always ! , gr8ty
DIY method given by you seems very practical to me.
Just to complicate things a bit more ,
- The files to be downloaded are on ENTIRELY different server , which do NOT have any cgi/exec/servlet support , just a static backup sort of server , but it is online.
- Our servlets are running on totally different server.
- So this complicates our things a little , if we keep these files in one piece on this backup-server , someone can find static URL for files .
- To avoid this , if we keep files in say 2/more pieces , and then join these pieces at runtime ( our servlet will do this pasting-the-pieces job ) , and serve the full file at runtime.
( We can not keep downloadable files in Hidden-folder ( hidden , in the sense that , not-visible through web-server ) , because than even our servlets wont be able to access downloadable-files )
Wot u say about above clumsy-looking idea?
Or should we better buy a server with lots-of-space for dowanloadable-stuff , and also support servlets , and then apply your DIY method ?

------------------
Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Downloads through servlets,only after authorization ?
 
Similar Threads
Bean values won't change on form submit
Downloads through servlets,only after authorization ?
Security issues with file download servlets?
Can servlets in individual contexts have access to the same session object?
Login and redirect