RE: Securing a download
You can find source code in Expresso (open source) that is based on Struts to secure a download at www.jcorporate.com. In the Expresso demo (admin UI) have a look at the security link then scroll down to the bottom of the form to where it says Download File Definitions. There is also a Download Log that tracks who has downloaded what files. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Securing a download
Hi Christophe,
This looks very similar to a problem I had (and I bet we are not the only
ones).
Some codes snippets from the RetrieveFileServlet I wrote (a modified version
of code from Wrox 'Professional JSP, 2nd edition').
In your doGet():
// I omitted the exception handling and stream manipulation stuff
String file = request.getParameter(file);
// perform your logic to find out whether the current user may access this
file.
// if not allowed: response.setStatus(HttpServletResponse.SC_FORBIDDEN);
// if allowed continue
String mimetype = null;
if (file != null)
mimetype = getServletContext().getMimeType(file);
if (mimetype != null)
{
// set the content type to the parameter passed.
response.setContentType(mimetype);
}
/*
Store the files in a directory not accessible as a webresource, but
accessible by the useraccount under which your webserver is running.
*/
String basedir = ..; // some directory, hardcodes, properties,
JNDI, whatever
fis = new FileInputStream(basedir+file);
byte[] buffer = new byte[8192];
int size;
size = fis.read(buffer);
while (size != -1)
{
out.write(buffer, 0, size);
size = fis.read(buffer);
}
This should help to handle your security requirements. This lets the browser
determine if the file can be opened in the window (recognized filetypes) or
not.
As for always offering the save as... dialog with the correct filename, you
should be able to achieve that using:
response.addHeader(Content-Disposition, attachment;
filename=+file);
Good luck,
Remke
-Oorspronkelijk bericht-
Van: Christophe Vigouroux [mailto:[EMAIL PROTECTED]]
Verzonden: maandag 23 december 2002 15:37
Aan: 'Struts Users Mailing List'; [EMAIL PROTECTED]
Onderwerp: Securing a download
Hi all,
Here is my problem: I have a user which is granted access to some files to
download. I want to put all the files downloadable by all the users in a
common directory (many users may download the same file), but with the
possibility to deny the download to users not identified by my application
(I've put a bean in the session scope to identify the user).
I first tried to create an Action class taking the filename of the file to
download in parameter, forwarding to the path of my file with a redirect. It
works fine for the first requirement, but it fails to deny the download to
not identified users, because the file is in a public directory. If I try to
put my file directory within WEB-INF, I'm getting the access deny message
from my servlet container (because of the redirect).
Even if my solution does not show the URL to get directly the file (so,
nobody should know the URL), it is not a good one because the security
relies on that hypothesis... I'd prefer to have a servlet or an action or a
jsp which checks the identification of the user, then modifies the HTTP
header with the good mime type (but which one? my files could be .exe, pdf
and so on...), and include the file. But as far as I tried this, my problem
is that my browser give a filename that I don't want (for example I have a
download.do?file=myApp.exe and the browser wants to save download.do where
I wanted it to be myApp.exe.
Hope anybody has a suggestion ;)
Thanks !!
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE : Securing a download
Great, it just works as I wished! Thanks a lot!!
Christophe VIGOUROUX
ECILIA - Ingénieur développement
Tel: 04.78.68.46.14
Fax: 04.37.43.69.01
-Message d'origine-
De : Remke Rutgers [mailto:[EMAIL PROTECTED]]
Envoyé : lundi 23 décembre 2002 16:10
À : 'Struts Users Mailing List'
Objet : RE: Securing a download
Hi Christophe,
This looks very similar to a problem I had (and I bet we are not the only
ones).
Some codes snippets from the RetrieveFileServlet I wrote (a modified version
of code from Wrox 'Professional JSP, 2nd edition').
In your doGet():
// I omitted the exception handling and stream manipulation stuff
String file = request.getParameter(file);
// perform your logic to find out whether the current user may access this
file.
// if not allowed: response.setStatus(HttpServletResponse.SC_FORBIDDEN);
// if allowed continue
String mimetype = null;
if (file != null)
mimetype = getServletContext().getMimeType(file);
if (mimetype != null)
{
// set the content type to the parameter passed.
response.setContentType(mimetype);
}
/*
Store the files in a directory not accessible as a webresource, but
accessible by the useraccount under which your webserver is running.
*/
String basedir = ..; // some directory, hardcodes, properties,
JNDI, whatever
fis = new FileInputStream(basedir+file);
byte[] buffer = new byte[8192];
int size;
size = fis.read(buffer);
while (size != -1)
{
out.write(buffer, 0, size);
size = fis.read(buffer);
}
This should help to handle your security requirements. This lets the browser
determine if the file can be opened in the window (recognized filetypes) or
not.
As for always offering the save as... dialog with the correct filename, you
should be able to achieve that using:
response.addHeader(Content-Disposition, attachment;
filename=+file);
Good luck,
Remke
-Oorspronkelijk bericht-
Van: Christophe Vigouroux [mailto:[EMAIL PROTECTED]]
Verzonden: maandag 23 december 2002 15:37
Aan: 'Struts Users Mailing List'; [EMAIL PROTECTED]
Onderwerp: Securing a download
Hi all,
Here is my problem: I have a user which is granted access to some files to
download. I want to put all the files downloadable by all the users in a
common directory (many users may download the same file), but with the
possibility to deny the download to users not identified by my application
(I've put a bean in the session scope to identify the user).
I first tried to create an Action class taking the filename of the file to
download in parameter, forwarding to the path of my file with a redirect. It
works fine for the first requirement, but it fails to deny the download to
not identified users, because the file is in a public directory. If I try to
put my file directory within WEB-INF, I'm getting the access deny message
from my servlet container (because of the redirect).
Even if my solution does not show the URL to get directly the file (so,
nobody should know the URL), it is not a good one because the security
relies on that hypothesis... I'd prefer to have a servlet or an action or a
jsp which checks the identification of the user, then modifies the HTTP
header with the good mime type (but which one? my files could be .exe, pdf
and so on...), and include the file. But as far as I tried this, my problem
is that my browser give a filename that I don't want (for example I have a
download.do?file=myApp.exe and the browser wants to save download.do where
I wanted it to be myApp.exe.
Hope anybody has a suggestion ;)
Thanks !!
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
