• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Stopping unauthorized access of files on the server

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have an application which displays certain links. Some of these links open the pdf files placed on the server.

The application has a two level of permissions, one through LDAP to verify whether the user is valid and then the permissions to the user for this application using Oracle Database.

However, if I hit the path of the file directly, the files can be accessed and no Authentication is done.

Can you please help me to avoid this unauthorized access?

By the way I am using JBOSS server to deploy the applications.

Thanks in advance.

~ thoughtfulbrain.

 
Saloon Keeper
Posts: 7585
176
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The obvious approach would be to put the files in a directory that is not accessible outside of the application. All links would then have to go through a servlet (or some kind of action bean/class if you're using a web framework) which could perform all necessary authentication checks before serving the content of the files.
 
James Lightener
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Moores wrote:The obvious approach would be to put the files in a directory that is not accessible outside of the application. All links would then have to go through a servlet (or some kind of action bean/class if you're using a web framework) which could perform all necessary authentication checks before serving the content of the files.



Thanks Tim but I don't think so it is appropriate solution to my problem. I try to elaborate the problem so that you can explain your solution if it is applicable.

All the files are kept at a common location on the JBOSS server. The page where links are displayed is displayed to a user only if he have the authorized access. But for example on the click of the link the url is generated like this:

http://JBOSS-Server/portal/files/documentation/ImportantInformation.pdf

Now if I copy this path and hit it directly on a new browser, the PDF file is opened without asking for any password because it is not calling any of the Servlet (in my case the action as I am using Struts) and hence there is no authentication happening.

What will be the best way to resolve this problem? Can I have any configuration in my JBOSS server to ask for password when user tries to access this path? Or how can I call my interceptor to verify the login and give error as the user is directly trying to access the file in an illegal way.

~ thoughtfulbrain.
 
Tim Moores
Saloon Keeper
Posts: 7585
176
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The alternative to routing all file accesses through your code would be to set up servlet security for the document directory as specified by the servlet spec. You can find a brief intro and some related links about that at https://coderanch.com/how-to/java/ServletsFaq#security
reply
    Bookmark Topic Watch Topic
  • New Topic