Dov Rosenberg wrote:
Our application has its own security model that controls access to our
information based on our own roles and permissions. We store files related
to our application on the file system where our application is running.
These associated files are served out by a web server. Our goal is to come
up with a scheme where we could apply our security model to control access
to these files via the web server. For example someone associates a PDF
with some meta data. We don¹t want the user to be able to bookmark the
underlying URL and email it to their friends for them to download without
having them authenticated by our service.
We are looking at a couple of different ideas.
1. Create a servlet filter to sit in front of the resources requests and
somehow tie that into our application logic
2. Create a regular proxy type of servlet that can accept requests and
validate them using our security model
3. Figure out a way to secure the filesystem using a Proxy server of some
type.
Any other thoughts or ideas are appreciated. Thanks in advance
Filter and container enforced security is mainly good for pattern based
criteria. Are you looking to give permissions based on a name pattern,
like *.pdf, or somedir/*.pdf? Otherwise you need a database of
permissions and mappings, such as what Jaas/SecurityManager based
applications rely on.
On top of that, you options may be limited by how your security model
works. For example, you /could/ use a seperate servlet ala web.xml, but
if your security model relies on all requests going through one servlet,
you're better off with a filter.
Savy?
--Ryan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
