Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Design issue: Viewing files in Web application and hide it from user based on securit

 
Ashraf Fouad
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dears,
I wanna ask question about how to design a web application in Java that have links to dynamiclly loaded files. These files are loaded from admin screens in the application. The target of this uploaded files is to be viewed by users based on their right ==> so I can't make all the uploaded files in a directory on the web application path so that any user can try the URL and get what he wants.
What I want to do is how to make these documents secured based on users and my application specific security schema?

Also, if this web application is hosted on clusetered environment, how I can put the files on two application servers?
Thankx and best regards
 
brad balmer
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For the first part of your question, how does the user log into your application? Have you implemented any authentication? If so, have you looked into any sort of container-managed security using roles?
Therefore you can assign different roles to a username and in your .jsp/servlet use the isUserInRole(X) to see if they have security to do something.
As for the clustered environment, if the files never change I guess you could copy all the files from one server to the next. Otherwise, you could store all the files in one central location and map a drive to that location so that all servers in the cluster would look at the same location through the same location name.
Just a thought.
 
Jaap van Hengstum
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What I usually do, is store the files outside of the webroot and use a servlet to read the file and present it to the user if the user has the necessary rights. These rights can be stored, f.e. in a database, together with the filename and other information about the uploaded document. Because the files are stored outside of the webroot, they cannot be requested by typing in the url in the browser.
The code in the servlet that requests the file could look something like this (I simplified it a bit, but you should get the point):

It uses a content-disposition header so that most browsers will allow the user to open the file or save it to disk (you can also use content-disposition 'inline' to open the file in the browser). Make sure the fileName is formatted properly, or a creative user will be able to download any file on the system
[ March 10, 2004: Message edited by: Jaap van Hengstum ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic