[MMBASE SCM] r37946 - mmbase/trunk/applications/resources/src/main/java/org/mmbase/servlet

Mon, 17 Aug 2009 08:05:40 -0700 

Author: michiel
Date: 2009-08-17 17:05:34 +0200 (Mon, 17 Aug 2009)
New Revision: 37946

Modified:
   
mmbase/trunk/applications/resources/src/main/java/org/mmbase/servlet/FileServlet.java
Log:
implemented 'canRead'

Modified: 
mmbase/trunk/applications/resources/src/main/java/org/mmbase/servlet/FileServlet.java
===================================================================
--- 
mmbase/trunk/applications/resources/src/main/java/org/mmbase/servlet/FileServlet.java
       2009-08-17 14:55:15 UTC (rev 37945)
+++ 
mmbase/trunk/applications/resources/src/main/java/org/mmbase/servlet/FileServlet.java
       2009-08-17 15:05:34 UTC (rev 37946)
@@ -38,6 +38,7 @@
 
     private static File files = null;
     private static final UrlEscaper URL = new UrlEscaper();
+    private static final String SESSION_EXTENSION  = ".SESSION";
 
     private Pattern ignore = Pattern.compile("");
 
@@ -110,9 +111,45 @@
         }
     }
 
+    protected static File getSessionFile(File f) {
+        if (f.getName().endsWith(SESSION_EXTENSION)) return f;
+        return new File(f.getParentFile(), f.getName() + SESSION_EXTENSION);
+    }
+
+    /**
+     * @since MMBase-1.9.2
+     */
+    public static void protectFile(HttpServletRequest req, File f) throws 
IOException {
+        File sessionFile = getSessionFile(f);
+        Writer w = new FileWriter(sessionFile);
+        w.write(req.getSession(true).getId());
+        w.close();
+    }
+
+
+    /**
+     * Returns whether the given file can be served out for the given request. 
You can use {...@link
+     * #protectFile} to make the file only accessible to the current http 
session.
+     */
     protected boolean canRead(HttpServletRequest req, File f) {
+        if (! f.canRead()) return false;
+
         // something with mmbase security ?
-        return f.canRead();
+        File sessionFile = getSessionFile(f);
+        if (sessionFile.exists()) {
+            if (! sessionFile.canRead()) return true;
+            try {
+                BufferedReader r = new BufferedReader(new 
FileReader(sessionFile));
+                String sessionId = r.readLine();
+                r.close();
+                return sessionId.equals(req.getSession(true).getId());
+            } catch (IOException ioe) {
+                log.warn(ioe);
+                return false;
+            }
+        } else {
+            return true;
+        }
     }
 
     protected boolean ignores(String pi) {

_______________________________________________
Cvs mailing list
Cvs@lists.mmbase.org
http://lists.mmbase.org/mailman/listinfo/cvs

Reply via email to