I have an application which uploads files via a web form, and stores information about the files (size, path info etc.) in a db2 table, and then writes the files to a directory in the file system. Users can download these files via links displayed in a
jsp. My problem is how to limit access to the files to only the correct group of users, since the files with technically lie outside the application in a different directory. There is no problem limiting access to the jsps which display the links, but there is nothing to stop a user (who has the right url) from accessing the files directly. Currently the application uses a .htaccess file and leaves it up to the web server to limit access to the files, but this approach is only good for one group of users. We need something more dynamic where different users will have access to different files. Any suggestions are appreciated!