• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Downloads through servlets,only after authorization ?

 
Gagan Indus
Ranch Hand
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi
Consider following problem :
- We have some files in doc/html/pdf format to be downloaded by user.
- Only registered user should have access to these.
- A authentication servlet , takes username & password , and after verifying these , saves a Boolean-object in http-session as 'RightToDownload' with value true.
Now is there any foolproof-way , by which a servlet could be written , which will allow download only if Boolean-object in session is True ?
( like , user can always access files by static URL say www.sample.com/docs/file.pdf . How to avoid this . Do the servlet need to generate these downloadable-docs at runtime? or any other way possible)
plz help .
------------------
Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .
 
Tim Duncan
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(a) you don't need to use servlets, you could simply use .htaccess
(b) if you use an authentication servlet, it's response would either be the file (having set content-type appropriately) or an error page. Thus the file only needs to be accessible by the servlet.

 
Gagan Indus
Ranch Hand
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thankx Tim

I was working on idea b) as given by you .
I am not aware of ".htaccess" . If you can elaborate a bit more , than that could be lot of help.
Thankx in advance
------------------
Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .
 
Tim Duncan
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure that this is supported on all servers, but Apache (and derivatives such as Websphere) and NCSA certainly do. The main idea is that if you have a .htaccess file in a directory then access to any files in the directory *and* subdirectories will require authentication.
The .htaccess file specifies the security realm (AuthName) and the user-group that may access it. It also tells the server where to find usernames and passwords (AuthUserFile), and group membership (AuthGroupFile). The server then authenticates the user using BASIC authentication.
Searching Google with the keyword "htaccess" will turn up more information than you can possibly need
 
morph wang
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
.htaccess

I had supposed that the '.htaccess' file is for Unix platform(correct me if I'm wrong), so what about Windows, MacOS...? Our servlets should be OS-independent !


[This message has been edited by morph wang (edited November 01, 2001).]
 
Tim Duncan
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
htaccess is nothing to do with servlets, I merely pointed out that you don't need to use servlets to restrict access to resources.
But, to answer your question ... no, it's not restricted to Unix platforms (no problem with dot files in Windows). Apache and Websphere will both run on NT.
 
sridhar satuloori
Ranch Hand
Posts: 144
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Other way could be using static extension mapping. where the mapped AuthenticationServlet(developer provides it) gets access whenever you call any file with that extension. This servlet checks neccessary authorization checks and streams the data to the client. This way is independent of servlet container
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic