Re: Protecting files question

Sun, 12 Sep 2004 16:08:57 -0700 

Hi,

The Blob or file system are very similar in what concerns security.

In the first one you have to do an action that writes the file into
the output stream. Suppose that your files have and action is called
/showFile.

Html should look like this;
<img src="/showFile.do?id=<file id>"></img>

About security:

IMO you have two choices. The first one is to create a HttpFilter that
filters the requests for your files and decide if the remote user has
the privileges to read the file requested.

The second is to implement the preprocess method on Struts RequestProcessor.

Hope this help you,
               Joćo





On Sun, 12 Sep 2004 18:56:13 -0400, Joe Hertz <[EMAIL PROTECTED]> wrote:
> This has probably been asked before. Apologies if so, I didn't see anything
> close enough.
> 
> This exact scenario is a bit different and more complicated than this, but
> if this problem can be solved, I can work out the rest.
> 
> Say I want people to upload images using html:file, and have implemented
> that successfully.
> 
> Now people get to view images (login role and other things determines what
> images they get to see).
> 
> But how to protect those files from unauthorized viewing?
> 
> I could store the images in BLOB's in the database. That would achieve
> security...But If I do that, how do they get to the user using the img tag?
> Utter guess: This how the action attribute on the tag works, and I'd write
> the file to the output stream in an action??? I can't imagine that this
> would be the right answer (html source would then look like...I have
> absolutely no idea)
> 
> Alternatively, say I don't want to store them as BLOB's, and just use the
> file system. How do I keep people from potentially pointing their browsers
> at the right URL and viewing files they aren't entitled to see?
> 
> How does one build security onto this type of app?
> 
> TIA
> 
> -Joe
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to