We have a Java/Spring application that has a secure area that we allow users to download certain files, if their LDAP entry has the proper role(s). It seems to work just fine - EXCEPT - if you right click and copy the link to the file, then go to another browser session and paste the link into the browser address bar, you get the file download dialog box, as if you are logged in and have been checked for role assignment (even works from an entirely different PC). What is missing from this application that would allow an un-authenticated user to merely copy in a url to the file and be able to download it?
BTW - I am not a well versed Java programmer and have never used Spring. I have looked in the Spring in Action book, but many of the things in the security chapter are not in this particular application. I do see some filters and filter mappings in the web.xml (none are the file download directory), and I see some security: intercept-url in the security.xml - and those seem to have the directories in question and proper LDAP role(s) for access.
Can someone point me on a trouble-shooting methodology to track down this embarrasing failure in this application? Thanks.
Can you post the general directory structure of your app?
What is the filter mapping in the web.xml? It could be that the path of the downloads directory isn't covered by the filter mapping.
What are the intercept url entries in the security.xml? Again, the path of the downloads directory may not be covered, or it may fall under something like filters="none" and have security turned off.
Write once, run anywhere, because there's nowhere to hide! - /. A.C.
Joined: Apr 15, 2004
The files for download are located in webapp/dataDownloads/secure directory.
Security.xml has security:intercept-url entries for patterns of /dataDownloads/secure/xyz - where xyz is a subdirectory, with Active Directory roles allowing the link to be hidden if role is not assigned to that user. Example might be subdirectories of finance, admin, or maintenance. User would have to log in and have the admin role to see the links to the files for download in the admin subdirectory.
Web.xml has filter mappings for /data/* and /secure/* - but not /dataDownloads/*
Hope this helps. It looks to me like the dataDownloads directory is not included in the filter mappings at all.
I can still do a copy of the link and get to the file without the application forcing a login. I thought the filter mapping would make any request for a file in the /dataDownload directory go through the user login. Are there other parts to the Spring security framework that have to be redone or completed to get this to work properly? The change to the web.xml file is the only thing I have done to this point (since it seemed like it was an obvious omission).