• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

Downloads through servlets,only after authorization ?

 
Ranch Hand
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi
Consider following problem :
- We have some files in doc/html/pdf format to be downloaded by user.
- Only registered user should have access to these.
- A authentication servlet , takes username & password , and after verifying these , saves a Boolean-object in http-session as 'RightToDownload' with value true.
Now is there any foolproof-way , by which a servlet could be written , which will allow download only if Boolean-object in session is True ?
( like , user can always access files by static URL say www.sample.com/docs/file.pdf . How to avoid this . Do the servlet need to generate these downloadable-docs at runtime? or any other way possible)
plz help .
------------------
Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .
 
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(a) you don't need to use servlets, you could simply use .htaccess
(b) if you use an authentication servlet, it's response would either be the file (having set content-type appropriately) or an error page. Thus the file only needs to be accessible by the servlet.

 
Gagan Indus
Ranch Hand
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thankx Tim

I was working on idea b) as given by you .
I am not aware of ".htaccess" . If you can elaborate a bit more , than that could be lot of help.
Thankx in advance
------------------
Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .
 
Tim Duncan
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure that this is supported on all servers, but Apache (and derivatives such as Websphere) and NCSA certainly do. The main idea is that if you have a .htaccess file in a directory then access to any files in the directory *and* subdirectories will require authentication.
The .htaccess file specifies the security realm (AuthName) and the user-group that may access it. It also tells the server where to find usernames and passwords (AuthUserFile), and group membership (AuthGroupFile). The server then authenticates the user using BASIC authentication.
Searching Google with the keyword "htaccess" will turn up more information than you can possibly need
 
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

.htaccess


I had supposed that the '.htaccess' file is for Unix platform(correct me if I'm wrong), so what about Windows, MacOS...? Our servlets should be OS-independent !


[This message has been edited by morph wang (edited November 01, 2001).]
 
Tim Duncan
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
htaccess is nothing to do with servlets, I merely pointed out that you don't need to use servlets to restrict access to resources.
But, to answer your question ... no, it's not restricted to Unix platforms (no problem with dot files in Windows). Apache and Websphere will both run on NT.
 
Ranch Hand
Posts: 144
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Other way could be using static extension mapping. where the mapped AuthenticationServlet(developer provides it) gets access whenever you call any file with that extension. This servlet checks neccessary authorization checks and streams the data to the client. This way is independent of servlet container
 
See where your hand is? Not there. It's next to this tiny ad:
create, convert, edit or print DOC and DOCX in Java
https://products.aspose.com/words/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!