File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Spring and the fly likes Spring security on file downloads Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring security on file downloads" Watch "Spring security on file downloads" New topic
Author

Spring security on file downloads

Mark Brothers
Greenhorn

Joined: Apr 15, 2004
Posts: 14
We have a Java/Spring application that has a secure area that we allow users to download certain files, if their LDAP entry has the proper role(s). It seems to work just fine - EXCEPT - if you right click and copy the link to the file, then go to another browser session and paste the link into the browser address bar, you get the file download dialog box, as if you are logged in and have been checked for role assignment (even works from an entirely different PC). What is missing from this application that would allow an un-authenticated user to merely copy in a url to the file and be able to download it?

BTW - I am not a well versed Java programmer and have never used Spring. I have looked in the Spring in Action book, but many of the things in the security chapter are not in this particular application. I do see some filters and filter mappings in the web.xml (none are the file download directory), and I see some security: intercept-url in the security.xml - and those seem to have the directories in question and proper LDAP role(s) for access.

Can someone point me on a trouble-shooting methodology to track down this embarrasing failure in this application? Thanks.
Nathan Pruett
Bartender

Joined: Oct 18, 2000
Posts: 4121

Can you post the general directory structure of your app?

What is the filter mapping in the web.xml? It could be that the path of the downloads directory isn't covered by the filter mapping.

What are the intercept url entries in the security.xml? Again, the path of the downloads directory may not be covered, or it may fall under something like filters="none" and have security turned off.


-Nate
Write once, run anywhere, because there's nowhere to hide! - /. A.C.
Mark Brothers
Greenhorn

Joined: Apr 15, 2004
Posts: 14
The files for download are located in webapp/dataDownloads/secure directory.

Security.xml has security:intercept-url entries for patterns of /dataDownloads/secure/xyz - where xyz is a subdirectory, with Active Directory roles allowing the link to be hidden if role is not assigned to that user. Example might be subdirectories of finance, admin, or maintenance. User would have to log in and have the admin role to see the links to the files for download in the admin subdirectory.

Web.xml has filter mappings for /data/* and /secure/* - but not /dataDownloads/*

Hope this helps. It looks to me like the dataDownloads directory is not included in the filter mappings at all.

Thanks for any input on this.

Mark
Nathan Pruett
Bartender

Joined: Oct 18, 2000
Posts: 4121

I agree - perhaps the mapping for /data/* was really supposed to be for /dataDownloads/* ? Or is there another directory called /data ?
Mark Brothers
Greenhorn

Joined: Apr 15, 2004
Posts: 14
Okay, I added the following to the web.xml file:

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/dataDownloads/*</url-pattern>
</filter-mapping>

I can still do a copy of the link and get to the file without the application forcing a login. I thought the filter mapping would make any request for a file in the /dataDownload directory go through the user login. Are there other parts to the Spring security framework that have to be redone or completed to get this to work properly? The change to the web.xml file is the only thing I have done to this point (since it seemed like it was an obvious omission).

Thanks.
Nathan Pruett
Bartender

Joined: Oct 18, 2000
Posts: 4121

Depending on the configuration, you may need to change other things...

What does the <security:http> configuration look like in your Security.xml?

You said it has <security:intercept-url> entries for patterns like /dataDownloads/secure/xyz... are the files you're trying to access in one of these directories specified?

Is there a <security:intercept-url> pattern for /** or /dataDownloads/** to define a default configuration?

Are there any patterns that have a filters="none" attribute? - this basically "turns off" security for that path.

Do you see anything like ROLE_ANONYMOUS listed in the access lists? This would mean that anonymous access is enabled...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Spring security on file downloads
 
Similar Threads
Migrating JAAS from JBoss to Websphere 6.1
Using spring security across multiple apps
what's LDAP server
Spring 3.0 Framework, CAS and EJB
Web app Security Confusion