This week's book giveaway is in the Programmer Certification forum. We're giving away four copies of OCP Oracle Certified Professional Java SE 11 Programmer I Study Guide: Exam 1Z0-815 and have Jeanne Boyarsky & Scott Selikoff on-line! See this thread for details.
Prologue: ------------ There are two kinds of entities: Manager and Projects(each project has a monthly financial report) One Manager might have access to one or more Project (and hence to their respective financial reports as well) Manager is the User who will login to the application.
Context: ------------ Once the user logs in to the web application, he/she gets a link to the PDF report(s). On clicking the report a window opens showing the contents of the report.The PDF reports are stored somewhere in the Server file system. e.g. folder structure could be like this: Reports > Project1 > Report1_PROJ1.pdf Reports > Project1 > Report2_PROJ1.pdf Reports > Project2 > Report1_PROJ2.pdf and so on..
Then he/she will see all the available Project Reports even if he/she is not authorized to do so. Main problem here is that, once the URL has been tampered, the control does not return to the web application but directly goes to the file system relevant to the changed URL.
Possible solution: --------------------- If it was possible to somehow integrate the file system and the LDAP. In such case the access rights to the user will be based on groups to which the user belongs in LDAP. However, I am unable to get any material to get started on this approach.
Regards, Amit [ October 24, 2007: Message edited by: amit bose ]
The user might tamper with the URL and change it to try to read other PDF's to which he/she is not authorized.
As long as you are providing access directly to a PDF by a URL you are going to have this problem. Why don't you do access indirectly through a servlet? The servlet can be aware of users and authorizations - it can read the pdf from a directory that can't be accessed directly by URL.
The glass is neither half full or half empty. It is too big. But this tiny ad is just right: