This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Security and the fly likes Stopping unauthorized access of files on the server Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Stopping unauthorized access of files on the server " Watch "Stopping unauthorized access of files on the server " New topic
Author

Stopping unauthorized access of files on the server

James Lightener
Greenhorn

Joined: Nov 18, 2008
Posts: 2
Hi,

I have an application which displays certain links. Some of these links open the pdf files placed on the server.

The application has a two level of permissions, one through LDAP to verify whether the user is valid and then the permissions to the user for this application using Oracle Database.

However, if I hit the path of the file directly, the files can be accessed and no Authentication is done.

Can you please help me to avoid this unauthorized access?

By the way I am using JBOSS server to deploy the applications.

Thanks in advance.

~ thoughtfulbrain.

Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
The obvious approach would be to put the files in a directory that is not accessible outside of the application. All links would then have to go through a servlet (or some kind of action bean/class if you're using a web framework) which could perform all necessary authentication checks before serving the content of the files.
James Lightener
Greenhorn

Joined: Nov 18, 2008
Posts: 2
Tim Moores wrote:The obvious approach would be to put the files in a directory that is not accessible outside of the application. All links would then have to go through a servlet (or some kind of action bean/class if you're using a web framework) which could perform all necessary authentication checks before serving the content of the files.


Thanks Tim but I don't think so it is appropriate solution to my problem. I try to elaborate the problem so that you can explain your solution if it is applicable.

All the files are kept at a common location on the JBOSS server. The page where links are displayed is displayed to a user only if he have the authorized access. But for example on the click of the link the url is generated like this:

http://JBOSS-Server/portal/files/documentation/ImportantInformation.pdf

Now if I copy this path and hit it directly on a new browser, the PDF file is opened without asking for any password because it is not calling any of the Servlet (in my case the action as I am using Struts) and hence there is no authentication happening.

What will be the best way to resolve this problem? Can I have any configuration in my JBOSS server to ask for password when user tries to access this path? Or how can I call my interceptor to verify the login and give error as the user is directly trying to access the file in an illegal way.

~ thoughtfulbrain.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
The alternative to routing all file accesses through your code would be to set up servlet security for the document directory as specified by the servlet spec. You can find a brief intro and some related links about that at http://www.coderanch.com/how-to/java/ServletsFaq#security
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Stopping unauthorized access of files on the server
 
Similar Threads
Blocking Direct URL access in web application
Applets and UNIX File permissions
How would you design this??
unix/ias/java help
unix/ias/java help