Spring security on file downloads

We have a Java/Spring application that has a secure area that we allow users to download certain files, if their LDAP entry has the proper role(s). It seems to work just fine - EXCEPT - if you right click and copy the link to the file, then go to another browser session and paste the link into the browser address bar, you get the file download dialog box, as if you are logged in and have been checked for role assignment (even works from an entirely different PC). What is missing from this application that would allow an un-authenticated user to merely copy in a url to the file and be able to download it?

BTW - I am not a well versed Java programmer and have never used Spring. I have looked in the Spring in Action book, but many of the things in the security chapter are not in this particular application. I do see some filters and filter mappings in the web.xml (none are the file download directory), and I see some security: intercept-url in the security.xml - and those seem to have the directories in question and proper LDAP role(s) for access.

Can someone point me on a trouble-shooting methodology to track down this embarrasing failure in this application? Thanks.

Can you post the general directory structure of your app?

What is the filter mapping in the web.xml? It could be that the path of the downloads directory isn't covered by the filter mapping.

What are the intercept url entries in the security.xml? Again, the path of the downloads directory may not be covered, or it may fall under something like filters="none" and have security turned off.

The files for download are located in webapp/dataDownloads/secure directory.

Security.xml has security:intercept-url entries for patterns of /dataDownloads/secure/xyz - where xyz is a subdirectory, with Active Directory roles allowing the link to be hidden if role is not assigned to that user. Example might be subdirectories of finance, admin, or maintenance. User would have to log in and have the admin role to see the links to the files for download in the admin subdirectory.

Web.xml has filter mappings for /data/* and /secure/* - but not /dataDownloads/*

Hope this helps. It looks to me like the dataDownloads directory is not included in the filter mappings at all.

Thanks for any input on this.

Mark

I agree - perhaps the mapping for /data/* was really supposed to be for /dataDownloads/* ? Or is there another directory called /data ?

Okay, I added the following to the web.xml file:

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/dataDownloads/*</url-pattern>
</filter-mapping>

I can still do a copy of the link and get to the file without the application forcing a login. I thought the filter mapping would make any request for a file in the /dataDownload directory go through the user login. Are there other parts to the Spring security framework that have to be redone or completed to get this to work properly? The change to the web.xml file is the only thing I have done to this point (since it seemed like it was an obvious omission).

Thanks.

Depending on the configuration, you may need to change other things...

What does the <security:http> configuration look like in your Security.xml?

You said it has <security:intercept-url> entries for patterns like /dataDownloads/secure/xyz... are the files you're trying to access in one of these directories specified?

Is there a <security:intercept-url> pattern for /** or /dataDownloads/** to define a default configuration?

Are there any patterns that have a filters="none" attribute? - this basically "turns off" security for that path.

Do you see anything like ROLE_ANONYMOUS listed in the access lists? This would mean that anonymous access is enabled...