I have an application which uploads files via a web form, and stores information about the files (size, path info etc.) in a db2 table, and then writes the files to a directory in the file system. Users can download these files via links displayed in a jsp. My problem is how to limit access to the files to only the correct group of users, since the files with technically lie outside the application in a different directory. There is no problem limiting access to the jsps which display the links, but there is nothing to stop a user (who has the right url) from accessing the files directly. Currently the application uses a .htaccess file and leaves it up to the web server to limit access to the files, but this approach is only good for one group of users. We need something more dynamic where different users will have access to different files. Any suggestions are appreciated!
Can you give the users NO access to the actual file directory and download the files through a servlet? That changes the files from static content to dynamic content. Then the servlet could check user roles or permissions against attributes in your file meta-data before downloading.
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi