struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christophe Vigouroux" <>
Subject RE : Securing a download
Date Mon, 23 Dec 2002 15:49:37 GMT
Great, it just works as I wished! Thanks a lot!!

Christophe VIGOUROUX
ECILIA - Ingénieur développement

-----Message d'origine-----
De : Remke Rutgers [] 
Envoyé : lundi 23 décembre 2002 16:10
À : 'Struts Users Mailing List'
Objet : RE: Securing a download

Hi Christophe,

This looks very similar to a problem I had (and I bet we are not the only

Some codes snippets from the RetrieveFileServlet I wrote (a modified version
of code from Wrox 'Professional JSP, 2nd edition').

In your doGet():
// I omitted the exception handling and stream manipulation stuff

	String file = request.getParameter("file");

// perform your logic to find out whether the current user may access this
// if not allowed: response.setStatus(HttpServletResponse.SC_FORBIDDEN);

// if allowed continue
	String mimetype = null;
	if (file != null)
		mimetype = getServletContext().getMimeType(file);
	if (mimetype != null)
		// set the content type to the parameter passed.

Store the files in a directory not accessible as a webresource, but
accessible by the useraccount under which your webserver is running.
	String basedir = ......; // some directory, hardcodes, properties,
JNDI, whatever
	fis = new FileInputStream(basedir+file);
	byte[] buffer = new byte[8192];
	int size;
	size =;
	while (size != -1)
		out.write(buffer, 0, size);
		size =;
This should help to handle your security requirements. This lets the browser
determine if the file can be opened in the window (recognized filetypes) or

As for always offering the save as... dialog with the correct filename, you
should be able to achieve that using:
	response.addHeader("Content-Disposition", "attachment;

Good luck,


-----Oorspronkelijk bericht-----
Van: Christophe Vigouroux []
Verzonden: maandag 23 december 2002 15:37
Aan: 'Struts Users Mailing List';
Onderwerp: Securing a download

Hi all,

Here is my problem: I have a user which is granted access to some files to
download. I want to put all the files downloadable by all the users in a
common directory (many users may download the same file), but with the
possibility to deny the download to users not identified by my application
(I've put a bean in the session scope to identify the user).

I first tried to create an Action class taking the filename of the file to
download in parameter, forwarding to the path of my file with a redirect. It
works fine for the first requirement, but it fails to deny the download to
not identified users, because the file is in a public directory. If I try to
put my file directory within WEB-INF, I'm getting the "access deny" message
from my servlet container (because of the redirect).

Even if my solution does not show the URL to get directly the file (so,
nobody should know the URL), it is not a good one because the security
relies on that hypothesis... I'd prefer to have a servlet or an action or a
jsp which checks the identification of the user, then modifies the HTTP
header with the good mime type (but which one? my files could be .exe, pdf
and so on...), and include the file. But as far as I tried this, my problem
is that my browser give a filename that I don't want (for example I have a and the browser wants to save "" where
I wanted it to be "myApp.exe".

Hope anybody has a suggestion ;)
Thanks !!

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message