aspose file tools*
The moose likes Servlets and the fly likes Design issue: Viewing files in Web application and hide it from user based on securit Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Design issue: Viewing files in Web application and hide it from user based on securit" Watch "Design issue: Viewing files in Web application and hide it from user based on securit" New topic
Author

Design issue: Viewing files in Web application and hide it from user based on securit

Ashraf Fouad
Ranch Hand

Joined: Oct 07, 2001
Posts: 80
Dears,
I wanna ask question about how to design a web application in Java that have links to dynamiclly loaded files. These files are loaded from admin screens in the application. The target of this uploaded files is to be viewed by users based on their right ==> so I can't make all the uploaded files in a directory on the web application path so that any user can try the URL and get what he wants.
What I want to do is how to make these documents secured based on users and my application specific security schema?

Also, if this web application is hosted on clusetered environment, how I can put the files on two application servers?
Thankx and best regards


Ashraf Fouad
SCJP 1.2, SCBCD 5
brad balmer
Ranch Hand

Joined: Mar 08, 2004
Posts: 57
For the first part of your question, how does the user log into your application? Have you implemented any authentication? If so, have you looked into any sort of container-managed security using roles?
Therefore you can assign different roles to a username and in your .jsp/servlet use the isUserInRole(X) to see if they have security to do something.
As for the clustered environment, if the files never change I guess you could copy all the files from one server to the next. Otherwise, you could store all the files in one central location and map a drive to that location so that all servers in the cluster would look at the same location through the same location name.
Just a thought.
Jaap van Hengstum
Greenhorn

Joined: Jul 24, 2003
Posts: 24
What I usually do, is store the files outside of the webroot and use a servlet to read the file and present it to the user if the user has the necessary rights. These rights can be stored, f.e. in a database, together with the filename and other information about the uploaded document. Because the files are stored outside of the webroot, they cannot be requested by typing in the url in the browser.
The code in the servlet that requests the file could look something like this (I simplified it a bit, but you should get the point):

It uses a content-disposition header so that most browsers will allow the user to open the file or save it to disk (you can also use content-disposition 'inline' to open the file in the browser). Make sure the fileName is formatted properly, or a creative user will be able to download any file on the system
[ March 10, 2004: Message edited by: Jaap van Hengstum ]
 
jQuery in Action, 2nd edition
 
subject: Design issue: Viewing files in Web application and hide it from user based on securit