mina-ftpserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Latorre <dvl...@gmail.com>
Subject Re: How to limit file upload and download to a set of directories.
Date Wed, 21 Oct 2009 12:23:27 GMT
I'm sure there are other solutions but this one works  for us :

  You should create a custom FTPLet that intercepts the calls to
"STOR", "STOU", "APPE" (the commands that signal a file upload) before
they are issued. This is done implementing the beforeCommand() method
of the FTPLet interface.

In this beforeUpload() method you would check that the  path to the
file-to-be-created matches the
/projects/<project>/<media>/upload/<filename> pattern and otherwise
throw an error.

Something like this:

public FtpletResult beforeCommand(FtpSession session, FtpRequest request)
        throws FtpException, IOException {
        String command = request.getCommand().toUpperCase();
if ("STOR".equals(command) || "STOU".equals(command) ||
"APPE".equals(command) ){

           FileSystemView fsview = session.getFileSystemView();
	    FtpFile fObject =  fsview.getFile(request.getArgument());
	    String absolutePath = fObject.getAbsolutePath();
	

 if (!canUpload(absolutePath) ) {
		DefaultFtpReply ftpReply = new
DefaultFtpReply(FtpReply.REPLY_550_REQUESTED_ACTION_NOT_TAKEN,
"Permission denied. The incoming directory is upload/");
		session.write(ftpReply);
		return FtpletResult.SKIP;
  }
}
return FtpletResult.DEFAULT;
}

Please note that I just wrote the code and I haven't compiled it.

The canUpload method would check if the path is valid.  If you needed
the Absolute Path relative to the real file system and not FTPServer
file system view, you can get the underlying File object with
NativeFtpFile.




2009/10/21 John Wilkinson <John_Wilkinson@xyratex.com>:
> Hi David,
>
> Yes, I think I would use FTPServer, as this would fit into my java web
> service.
>
> The file system would look like this:
>
> /projects/<ProjName>/<MediaName>/upload
>
> There would be many projName and MediaName directories. The upload dir
> would be a temp dir, created by the web service, created just so a user
> can upload a file. Once uploaded, the web service would take over, check
> the file MD5, and if OK, move it to the correct location, and delete the
> upload dir.
>
> So the FTP server just needs to limit uploads to /projects/*/*/upload, I
> guess, at least as a first stab.
>
> How do I make an FTPLet to do that? Me being very green on all this.
>
> Does this make any sense, or is there a better way?
>
> Many regards,
> John.
>
>
>
> -----Original Message-----
> From: David Latorre [mailto:dvlato@gmail.com]
> Sent: 21 October 2009 10:56
> To: ftpserver-users@mina.apache.org
> Subject: Re: How to limit file upload and download to a set of
> directories.
>
> Hello John,
>
> Do you mean with Apache FTPServer? How would relate this "upload
> directory" to the user home root?  Do you need to still have access to
> several other directories in the same tree?
>
> You could use a custom FTPLet for this (or even a filesystem
> implementation) but you'll have to figure out how to 'inform the
> FTPLet' of what the allowed directory is.
>
>
> 2009/10/21 John Wilkinson <John_Wilkinson@xyratex.com>:
>> Hi,
>>
>> In my web service I want the user to only be able to upload files to
> an
>> upload directory, which is created on the fly in response to an upload
>> request from the client.
>>
>> On receiving the upload request the web service makes a new directory
>> called upload, and sends the URI back to the client. The client then
> is
>> able to use this URI to upload files to that directory only.
>>
>> I need to be able to limit this access to only this directory. How do
> I
>> do that?
>>
>>
>>
>>
>>
>> Many regards,
>>
>> John.
>>
>>
>>
>>
>>
>>
>> ______________________________________________________________________
>> This email may contain privileged or confidential information, which
> should only be used for the purpose for which it was sent by Xyratex. No
> further rights or licenses are granted to use such information. If you
> are not the intended recipient of this message, please notify the sender
> by return and delete it. You may not use, copy, disclose or rely on the
> information contained in it.
>>
>> Internet email is susceptible to data corruption, interception and
> unauthorised amendment for which Xyratex does not accept liability.
> While we have taken reasonable precautions to ensure that this email is
> free of viruses, Xyratex does not accept liability for the presence of
> any computer viruses in this email, nor for any losses caused as a
> result of viruses.
>>
>> Xyratex Technology Limited (03134912), Registered in England & Wales,
> Registered Office, Langstone Road, Havant, Hampshire, PO9 1SA.
>>
>> The Xyratex group of companies also includes, Xyratex Ltd, registered
> in Bermuda, Xyratex International Inc, registered in California, Xyratex
> (Malaysia) Sdn Bhd registered in Malaysia, Xyratex Technology (Wuxi) Co
> Ltd registered in The People's Republic of China and Xyratex Japan
> Limited registered in Japan.
>> ______________________________________________________________________
>
> ______________________________________________________________________
> This email may contain privileged or confidential information, which should only be used
for the purpose for which it was sent by Xyratex. No further rights or licenses are granted
to use such information. If you are not the intended recipient of this message, please notify
the sender by return and delete it. You may not use, copy, disclose or rely on the information
contained in it.
>
> Internet email is susceptible to data corruption, interception and unauthorised amendment
for which Xyratex does not accept liability. While we have taken reasonable precautions to
ensure that this email is free of viruses, Xyratex does not accept liability for the presence
of any computer viruses in this email, nor for any losses caused as a result of viruses.
>
> Xyratex Technology Limited (03134912), Registered in England & Wales, Registered
Office, Langstone Road, Havant, Hampshire, PO9 1SA.
>
> The Xyratex group of companies also includes, Xyratex Ltd, registered in Bermuda, Xyratex
International Inc, registered in California, Xyratex (Malaysia) Sdn Bhd registered in Malaysia,
Xyratex Technology (Wuxi) Co Ltd registered in The People's Republic of China and Xyratex
Japan Limited registered in Japan.
> ______________________________________________________________________
>

Mime
View raw message