Hi Christophe, This looks very similar to a problem I had (and I bet we are not the only ones).
Some codes snippets from the RetrieveFileServlet I wrote (a modified version of code from Wrox 'Professional JSP, 2nd edition'). In your doGet(): // I omitted the exception handling and stream manipulation stuff String file = request.getParameter("file"); // perform your logic to find out whether the current user may access this file. // if not allowed: response.setStatus(HttpServletResponse.SC_FORBIDDEN); // if allowed continue String mimetype = null; if (file != null) mimetype = getServletContext().getMimeType(file); if (mimetype != null) { // set the content type to the parameter passed. response.setContentType(mimetype); } /* Store the files in a directory not accessible as a webresource, but accessible by the useraccount under which your webserver is running. */ String basedir = ......; // some directory, hardcodes, properties, JNDI, whatever fis = new FileInputStream(basedir+file); byte[] buffer = new byte[8192]; int size; size = fis.read(buffer); while (size != -1) { out.write(buffer, 0, size); size = fis.read(buffer); } This should help to handle your security requirements. This lets the browser determine if the file can be opened in the window (recognized filetypes) or not. As for always offering the save as... dialog with the correct filename, you should be able to achieve that using: response.addHeader("Content-Disposition", "attachment; filename="+file); Good luck, Remke -----Oorspronkelijk bericht----- Van: Christophe Vigouroux [mailto:[EMAIL PROTECTED]] Verzonden: maandag 23 december 2002 15:37 Aan: 'Struts Users Mailing List'; [EMAIL PROTECTED] Onderwerp: Securing a download Hi all, Here is my problem: I have a user which is granted access to some files to download. I want to put all the files downloadable by all the users in a common directory (many users may download the same file), but with the possibility to deny the download to users not identified by my application (I've put a bean in the session scope to identify the user). I first tried to create an Action class taking the filename of the file to download in parameter, forwarding to the path of my file with a redirect. It works fine for the first requirement, but it fails to deny the download to not identified users, because the file is in a public directory. If I try to put my file directory within WEB-INF, I'm getting the "access deny" message from my servlet container (because of the redirect). Even if my solution does not show the URL to get directly the file (so, nobody should know the URL), it is not a good one because the security relies on that hypothesis... I'd prefer to have a servlet or an action or a jsp which checks the identification of the user, then modifies the HTTP header with the good mime type (but which one? my files could be .exe, pdf and so on...), and include the file. But as far as I tried this, my problem is that my browser give a filename that I don't want (for example I have a download.do?file=myApp.exe and the browser wants to save "download.do" where I wanted it to be "myApp.exe". Hope anybody has a suggestion ;) Thanks !! -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>