I currently have a portlet which invokes a servlet to allow the user to download a file on our server. However, this servlet is currently unsecure as unauthenticated users can copy and paste the link to download the file directly, bypassing portal authentication.
I thought of two possibilities to secure this process:
1. Under the JSR 168 spec, we can share session information between portlets and servlets, so we can verify in the servlet code that the user is authenticated by the portal by looking for this session id.
2. Another alternative to this is to look at the remote user id in the HttpServletRequest object. If a user has not been authenticated by the portal, the getRemoteUser method in the request object would return null which we could also look for in the servlet code.
However, I am concerned about these problems.
1. Authentication - This doesn't give us proper authentication. A malicious user can create some random user or session ID. But in the servlet we have no way of knowing if that session/user ID is valid, right? A session or user ID can only be authenticated within the portlet container where it is tracking those IDs.
2. Authorization - Even if we could assume the session/user ID is valid, it isn't really enough. For example, we have users that are authorized users but do not have access to the file download portlet. If they are logged in, they have a session ID and a remote user id, but they should not have access to the files by cut and paste the link.