Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Downloads through servlets,only after authorization ?

Ranch Hand
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Consider following problem :
- We have some files in doc/html/pdf format to be downloaded by user.
- Only registered user should have access to these.
- A authentication servlet , takes username & password , and after verifying these , saves a Boolean-object in http-session as 'RightToDownload' with value true.
Now is there any foolproof-way , by which a servlet could be written , which will allow download only if Boolean-object in session is True ?
( like , user can always access files by static URL say . How to avoid this . Do the servlet need to generate these downloadable-docs at runtime? or any other way possible)
plz help .

Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you can use servlet security, then that's the nicest ways to go about it. When a user has been authenticated, (s)he is represented by a Principal (HttpServletRequest.getUserPrincipal()) which can be in one or more roles (HttpServletRequest.isUserInRole()). You can use the declarative security settings in web.xml to limit access to your download URLs to those users who are in the "DOWNLOADER" role.
So far, so good. But there's a catch - I bet you saw it coming Sun IMHO left too much of the security implementation to the container vendor. If you want to, say, programatically add users to the system, you have to use container-specific API; the servlet spec doesn't have any.
The alternative is the DIY method. Let's say that a request comes in for "/downloads/docs/secret.pdf". One way to implement it would be:
  • Put secret.pdf in a path that is inaccessible through server - (a) /WEB-INF/downloads or (b) a "normal" path such as "/downloads" protected by security constraints as mentioned above. If your downloads change frequently, (c) store it in a database, or (d) some safe place on the filesystem outside the server directories. Remember, some application servers can work straight from a WAR or store the WAR in a database, and you may not want to redeploy every time you add a new download.
  • Map a download servlet to "/downloads/*".
  • This download servlet uses HttpServletRequest.getPathInfo() to get the extra path information in the request, in this case "/docs/secret.pdf".
  • It then checks the user privileges to see if the given download can be accessed.
  • (a,b) Prepend the location of the downloads directory, say "/WEB-INF/downloads", to give "/WEB-INF/downloads/docs/secret.pdf". (c) If you use a database you can use the extra path information to locate the download in a table; (d) if you use the filesystem you can simply prepend a filesystem path.
  • (a,b) Get a URL for the pdf using ServletContext.getResource() (typically, this is a file:// URL, but it does not have to be), open the URL and serve up the result. (c) If you're using a database to store the downloads you'd probably be using JDBC at this step; (d) if you're using the filesystem you can simply open a FileInputStream.
  • HTH
    - Peter
Gagan Indus
Ranch Hand
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thankxxxxxxxxxx Peter
You are loads-of-help always ! , gr8ty
DIY method given by you seems very practical to me.
Just to complicate things a bit more ,
- The files to be downloaded are on ENTIRELY different server , which do NOT have any cgi/exec/servlet support , just a static backup sort of server , but it is online.
- Our servlets are running on totally different server.
- So this complicates our things a little , if we keep these files in one piece on this backup-server , someone can find static URL for files .
- To avoid this , if we keep files in say 2/more pieces , and then join these pieces at runtime ( our servlet will do this pasting-the-pieces job ) , and serve the full file at runtime.
( We can not keep downloadable files in Hidden-folder ( hidden , in the sense that , not-visible through web-server ) , because than even our servlets wont be able to access downloadable-files )
Wot u say about above clumsy-looking idea?
Or should we better buy a server with lots-of-space for dowanloadable-stuff , and also support servlets , and then apply your DIY method ?

Gagan (/^_^\) SCJP2
Die-hard JavaMonk -- little Java a day , keeps u going .
    Bookmark Topic Watch Topic
  • New Topic