• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Security issues with file download servlets?

Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I currently have a portlet which invokes a servlet to allow the user to download a file on our server. However, this servlet is currently unsecure as unauthenticated users can copy and paste the link to download the file directly, bypassing portal authentication.

I thought of two possibilities to secure this process:
1. Under the JSR 168 spec, we can share session information between portlets and servlets, so we can verify in the servlet code that the user is authenticated by the portal by looking for this session id.
2. Another alternative to this is to look at the remote user id in the HttpServletRequest object. If a user has not been authenticated by the portal, the getRemoteUser method in the request object would return null which we could also look for in the servlet code.

However, I am concerned about these problems.
1. Authentication - This doesn't give us proper authentication. A malicious user can create some random user or session ID. But in the servlet we have no way of knowing if that session/user ID is valid, right? A session or user ID can only be authenticated within the portlet container where it is tracking those IDs.

2. Authorization - Even if we could assume the session/user ID is valid, it isn't really enough. For example, we have users that are authorized users but do not have access to the file download portlet. If they are logged in, they have a session ID and a remote user id, but they should not have access to the files by cut and paste the link.

Any thoughts or ideas?

    Bookmark Topic Watch Topic
  • New Topic