cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to protect access to files on a server

Former Member

on ‎05-25-2009 5:27 PM

0 Kudos

Hi Experts

A million thanks to all answers in advance..

i have few files on a server that i wish to download to a user..not all to one...the file names have user id in them...

problem is..though i am able to export the file using all possible ways...i can't hide the URL completely from user....am able to hide the address bar but then the URL gets displayed in title bar and that couldn't be hidden coz im opening the file in an ExternalWindow..

alternately i tried to directly export the file from a jsp but that too wasn't effective..

does anyone around have a solution to this...i wish i can generate a mechanism that completely hides the implementation from user..and even if the user has URl, he/she shouldn't be able to use it to hotlink to file (more like cross-site-scripting)

suppose my file URl is http://server:port/appContext/fileName1.pdf

then a user shouldn't be able to access a file named fileName2.pdf simply by changing the name in pdf.

believe me i've possibly explored all threads with all ideas..using IHttpRequest..gettimng request.getHttpSessionId...sending it over to jsp..but then..i don't have an equivalen session Id on jsp to comparo to and authenticate the user...

..seem to have hit a wall..

can someone please help me on this...

in desperate need of yr ideas...

thanks

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎05-26-2009 7:11 AM
0 Kudos

Hi,

I think you can use encryption & decryption mechanism to upload and download the file names.

For exampel when you are uploading a file with name user1file1.txt, while uploading encrypt the file name and upload it. While downloading for you purpose (which file needs to be downloaded) to check the correct file use decryption. And to the user encrypted file name will be shown in the url.

Consider this thought if it helps.

Regards,

Charan

Edited by: SRI KRISHNA CHARAN on May 26, 2009 8:17 AM

Show replies
Show replies
Former Member
‎05-26-2009 8:43 AM
0 Kudos

Thanks Charan!

as i suggested in the statement, i've really not left any stone unturned. i encrypted the user ID and other parameters in the URL using java.crypto and SUN JCE. the problem is my servlet / jsp will deode these parmeters and the URL can hence be sent to anywhere and used in a different browser instance. i am sorry for not being specific earlier, the URL shoul not be accessible out of user session as well.

the problem is, as i understood, the webDyn container and servlet/jsp container running on AS are different and can not share data, as a result of which trivial methods of authentication won't work.

anyway, thanks a lot for your idea..please suggest what elswe can i do (apart from implementing custom ways like sending a date+time as a cipher and decrypt + compare the cipher with java.util.date on jsp....this way the jsp URL can be controlled to work for some time difference only but that is not a real 'coding' solution.

looking forward for your precious help...

thanks a ton!

Shwetank

Edited by: ShwetankSingh on May 26, 2009 9:44 AM

Former Member
‎05-26-2009 9:07 AM
0 Kudos

Hi,

I have a solution for this. I dont know how complex is this.

1. Configure ApacheProxy which decrypts all the parameters and forwards the request to download the file.

2. Encryption at portal end and decryption at ApacheProxy end is done with a mutually agreed key which is configurable for both the sides.

3. While invoking the URL(proxy) to download the file, In WD Application convert the required parameters(string) to bytes and perform the bitwise operation between this and predefined decryption key.

4. Do base 64 encoding on the result of the step3.

5. Decryption steps are opposite to the encryption steps above. Once the request is submitted to the ApacheProxy then it reads the decryption key from httpd.conf file and decrypts it.

How to configure the ApacheProxy:

Download apache 1.3.34 binary (with source) for the target platform and follow the apache web server install instructions to install the same.

Find original mod_proxy.c and proxy_http.c under source directory and replace them with the changed ones. Take a backup of original files.

Copy base64.c under the directory where proxy_http.c is kept. To include the newly added base64.c for build, change the Makefile. Refer changed Makefile for the changes to be done.

Build the proxy module and copy the output library (libproxy.so) to the required directory.

Change httpd.conf as below

Enable proxy module (libproxy.so) by removing required commented lines

Add below at the end of httpd.conf

#Proxy configuration u2013 replace with actual target server URL

ProxyRequests off

ProxyPass / http://<portal_host>/

ProxyPassReverse / http://<portal_host>/

#Decryption Key

Key <decryption_key>

Regards,

Charan

Former Member
‎05-26-2009 7:48 PM
0 Kudos

Thanks Charan!

With all the experience that i have with HTTP servers and configurations, loading all modules on a HTTP server and that too of WebAS SAP type is going to be a tedious task. besides this, i do not want to effect all other hosts running on an interactive container.

Besides this, the URL to access files has then to be handled for proxies as well, that in our deployment profile happen to be widely distributed.

Nevertheless, your suggestion gave me another direction to think in. i've been wondering if handlers like security constraint in web.xml are available in normal webdynpro project. yes we can definitely handle web proxy requests using HTTP Apache Server configurations but with my lack of knowledge for this in SAP context, much remains for me to explore. i come from a pure Java background and still see myself wondering about real architecture of SAP servers.

i'll give your suggestion a try on standalone server and would then discuss it further.

Meanwhile, my question still remains unanswered with sight of ease of implementation and expectation of a genuine logical solution.

Thanks for your efforts..

Ask a Question