Steve Fording

Yes that might be a possibility. How would you go about downloading the files using a servlet?

I have an application which uploads files via a web form, and stores information about the files (size, path info etc.) in a db2 table, and then writes the files to a directory in the file system. Users can download these files via links displayed in a jsp. My problem is how to limit access to the files to only the correct group of users, since the files with technically lie outside the application in a different directory. There is no problem limiting access to the jsps which display the links, but there is nothing to stop a user (who has the right url) from accessing the files directly. Currently the application uses a .htaccess file and leaves it up to the web server to limit access to the files, but this approach is only good for one group of users. We need something more dynamic where different users will have access to different files. Any suggestions are appreciated!

Thanks, I think this article will be very helpful!

I am re-developing a fairly simple application where users can upload files which will be stored in a directory or db2 (haven't decided yet). These files will be catagorized, and accessable to users/groups specified by the owner (person who uploads) of the file. I am still in the architectural planning phase, and have a few issues which must be resolved. First off, security. I was looking at using LDAP as a user directory and then specifying the protected resources and using role to group mappings. But I don't think this approach is dynamic enough. The users may need to define new groups, etc. and I don't want to have to redeploy the app every time this occurs. Obviously I could abandon the J2EE security model and do it entirely programatically, but I don't like this entirely "home-grown" approach. Could Struts help with this? Another related problem is how to secure the files which will reside outside of the application. Securing the web resources is one thing, but what about the actual files if they just reside in a directory on the web server. We are currently using a .htaccess file which points to a LDAP group, but this is obviously no good if the access to files, is going to be dynamic and controlled by the app. Any suggestions? Comments are most appreciated!