"There's a custom mechanism that creates security tokens." I retired several years ago so this is all from my foggy geriatric memory and it may be a bogus suggestion.
If you're on Unix and your security token contains their user id then you could use this brute force method. On Unix it has a system call that will tell you if a user id is allowed access to a file, called "access()". I'm guessing that your web server is just pointing them to the directory directly and the web server is making the list of files. If your stripes app makes the list of files instead then you can use the access() system call on each file before it adds it to the list of files to present them But if they know the url to any of the files they're not allowed access to they could still type that url into the browser's address box and get to it so it's not the least bit secure. On Mon, Nov 28, 2016 at 2:26 PM, William Krick <kr...@3feetunder.com> wrote: > There's a custom mechanism that creates security tokens. I'm not really > sure how it works as this is a large application and the security framework > was developed by another group. > > I'm guessing that conceptually, a proper solution to "secure" file links > would involve custom URLs that incorporate a security token string that are > only valid for the current user in the current session. > > > > > > On Mon, Nov 28, 2016 at 4:30 PM, Rick Grashel <rgras...@gmail.com> wrote: > >> Hi William, >> >> How are your users logging in right now? Through basic authentication or >> through a custom mechanism? >> >> -- Rick >> >> On Mon, Nov 28, 2016 at 2:23 PM, William Krick <kr...@3feetunder.com> >> wrote: >> >>> I'm working on a Stripes web application that provides links to tutorial >>> files. The users have to log into the application. The problem is that >>> the links to the tutorial files are accessible to anyone, whether they are >>> logged into the application or not. >>> >>> The links should only be accessible to logged-in users. >>> >>> Is there some standard way that this is done? >>> >>> Also, should the files be hosted outside of the web-accessible root >>> directory? >>> >>> I don't want to have to bundle the files inside the deployment war >>> because they may need to be updated outside of the normal app deployment >>> cycle. >>> >>> ------------------------------------------------------------ >>> ------------------ >>> >>> _______________________________________________ >>> Stripes-users mailing list >>> Stripes-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/stripes-users >>> >>> >> >> ------------------------------------------------------------ >> ------------------ >> >> _______________________________________________ >> Stripes-users mailing list >> Stripes-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/stripes-users >> >> > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > >
------------------------------------------------------------------------------
_______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
