I have developed a web-application, where i have provided links for files to be downloaded, this is done by using "anchor tag in html , by clicking on the link,the file opens up in the browser,with the url getting displayed on the address bar, now the problem is that, my application has a login functionality, where only the authorized users could loggin and view the documents provided. But with the solution at the moment, anyone who has the url of the document can access the file and open it directly by just typing in the url. So is there any proposed solution for this where the user is restricted from opening the document, before getting logged in.
I m using IBM HTTP Server, and IBM WebSphere, the application has been developed in Java.
Is there anyway i can prevent the above scenario, by any means, is there a way to restrict directory access??? or....
search for "session handling with servlets" or "session handling with jsp" on google - pick whichever you want (depending upon whatever programming methodology you are using).
Btw, does your "loggin" functionality manage user state aka sessions?
Do you check user session after he clicks on the link that "opens the files provided in a browser"?
could u be more specific and tell as to how is that solution is gonna work??, how can session handling help me out?
Download the servlet spec from java.sun.com
Read the sections on authentication and security, then all will be clear.
I architected my application to use the MVC pattern a la Struts, so all requests must go through a Controller Servlet, which by itself does not solve your issue. But, I configured the app such that all of the JSP/resources are in a folder in the WEB-INF directory.
Consequently, even if the user gets ahold of the URL (we hide the URL from them), the resource cannot be accessed unless it is through an internal redirect from the Controller Servlet. Enforce your security logic within the Controller logic and you're all set.