struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christophe Vigouroux" <christophe.vigour...@ecilia.fr>
Subject Securing a download
Date Mon, 23 Dec 2002 14:36:46 GMT
Hi all,

Here is my problem: I have a user which is granted access to some files to
download. I want to put all the files downloadable by all the users in a
common directory (many users may download the same file), but with the
possibility to deny the download to users not identified by my application
(I've put a bean in the session scope to identify the user).

I first tried to create an Action class taking the filename of the file to
download in parameter, forwarding to the path of my file with a redirect. It
works fine for the first requirement, but it fails to deny the download to
not identified users, because the file is in a public directory. If I try to
put my file directory within WEB-INF, I'm getting the "access deny" message
from my servlet container (because of the redirect).

Even if my solution does not show the URL to get directly the file (so,
nobody should know the URL), it is not a good one because the security
relies on that hypothesis... I'd prefer to have a servlet or an action or a
jsp which checks the identification of the user, then modifies the HTTP
header with the good mime type (but which one? my files could be .exe, pdf
and so on...), and include the file. But as far as I tried this, my problem
is that my browser give a filename that I don't want (for example I have a
download.do?file=myApp.exe and the browser wants to save "download.do" where
I wanted it to be "myApp.exe".

Hope anybody has a suggestion ;)
Thanks !!



--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message