Skip to Content
avatar image
Former Member

How to protect access to files on a server

Hi Experts

A million thanks to all answers in advance..

i have few files on a server that i wish to download to a user..not all to one...the file names have user id in them...

problem is..though i am able to export the file using all possible ways...i can't hide the URL completely from user....am able to hide the address bar but then the URL gets displayed in title bar and that couldn't be hidden coz im opening the file in an ExternalWindow..

alternately i tried to directly export the file from a jsp but that too wasn't effective..

does anyone around have a solution to this...i wish i can generate a mechanism that completely hides the implementation from user..and even if the user has URl, he/she shouldn't be able to use it to hotlink to file (more like cross-site-scripting)

suppose my file URl is http://server:port/appContext/fileName1.pdf

then a user shouldn't be able to access a file named fileName2.pdf simply by changing the name in pdf.

believe me i've possibly explored all threads with all ideas..using IHttpRequest..gettimng request.getHttpSessionId...sending it over to jsp..but then..i don't have an equivalen session Id on jsp to comparo to and authenticate the user...

..seem to have hit a wall..

can someone please help me on this...

in desperate need of yr ideas...

thanks

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    May 26, 2009 at 06:11 AM

    Hi,

    I think you can use encryption & decryption mechanism to upload and download the file names.

    For exampel when you are uploading a file with name user1file1.txt, while uploading encrypt the file name and upload it. While downloading for you purpose (which file needs to be downloaded) to check the correct file use decryption. And to the user encrypted file name will be shown in the url.

    Consider this thought if it helps.

    Regards,

    Charan

    Edited by: SRI KRISHNA CHARAN on May 26, 2009 8:17 AM

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Thanks Charan!

      With all the experience that i have with HTTP servers and configurations, loading all modules on a HTTP server and that too of WebAS SAP type is going to be a tedious task. besides this, i do not want to effect all other hosts running on an interactive container.

      Besides this, the URL to access files has then to be handled for proxies as well, that in our deployment profile happen to be widely distributed.

      Nevertheless, your suggestion gave me another direction to think in. i've been wondering if handlers like security constraint in web.xml are available in normal webdynpro project. yes we can definitely handle web proxy requests using HTTP Apache Server configurations but with my lack of knowledge for this in SAP context, much remains for me to explore. i come from a pure Java background and still see myself wondering about real architecture of SAP servers.

      i'll give your suggestion a try on standalone server and would then discuss it further.

      Meanwhile, my question still remains unanswered with sight of ease of implementation and expectation of a genuine logical solution.

      Thanks for your efforts..