Strips user access control of linked files

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Strips user access control of linked files

krick
I'm working on a Stripes web application that provides links to tutorial files.  The users have to log into the application.  The problem is that the links to the tutorial files are accessible to anyone, whether they are logged into the application or not.

The links should only be accessible to logged-in users.

Is there some standard way that this is done?

Also, should the files be hosted outside of the web-accessible root directory?

I don't want to have to bundle the files inside the deployment war because they may need to be updated outside of the normal app deployment cycle.

------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Strips user access control of linked files

Rick Grashel
Hi William,

How are your users logging in right now?  Through basic authentication or through a custom mechanism?

-- Rick

On Mon, Nov 28, 2016 at 2:23 PM, William Krick <[hidden email]> wrote:
I'm working on a Stripes web application that provides links to tutorial files.  The users have to log into the application.  The problem is that the links to the tutorial files are accessible to anyone, whether they are logged into the application or not.

The links should only be accessible to logged-in users.

Is there some standard way that this is done?

Also, should the files be hosted outside of the web-accessible root directory?

I don't want to have to bundle the files inside the deployment war because they may need to be updated outside of the normal app deployment cycle.

------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Strips user access control of linked files

krick
There's a custom mechanism that creates security tokens.  I'm not really sure how it works as this is a large application and the security framework was developed by another group.

I'm guessing that conceptually, a proper solution to "secure" file links would involve custom URLs that incorporate a security token string that are only valid for the current user in the current session.





On Mon, Nov 28, 2016 at 4:30 PM, Rick Grashel <[hidden email]> wrote:
Hi William,

How are your users logging in right now?  Through basic authentication or through a custom mechanism?

-- Rick

On Mon, Nov 28, 2016 at 2:23 PM, William Krick <[hidden email]> wrote:
I'm working on a Stripes web application that provides links to tutorial files.  The users have to log into the application.  The problem is that the links to the tutorial files are accessible to anyone, whether they are logged into the application or not.

The links should only be accessible to logged-in users.

Is there some standard way that this is done?

Also, should the files be hosted outside of the web-accessible root directory?

I don't want to have to bundle the files inside the deployment war because they may need to be updated outside of the normal app deployment cycle.

------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Strips user access control of linked files

Poitras Christian
You can always fix this using Stripes.
Register the *.whatever extension to a Stripes action and use StreamingResolution to return the file content.

This is a poor solution since Web containers are much better at streaming content, but at least it will work.

Christian

De : William Krick <[hidden email]<mailto:[hidden email]>>
Répondre à : Stripes Users List <[hidden email]<mailto:[hidden email]>>
Date : Monday, November 28, 2016 at 5:26 PM
À : Stripes Users List <[hidden email]<mailto:[hidden email]>>
Objet : Re: [Stripes-users] Strips user access control of linked files

There's a custom mechanism that creates security tokens.  I'm not really sure how it works as this is a large application and the security framework was developed by another group.

I'm guessing that conceptually, a proper solution to "secure" file links would involve custom URLs that incorporate a security token string that are only valid for the current user in the current session.





On Mon, Nov 28, 2016 at 4:30 PM, Rick Grashel <[hidden email]<mailto:[hidden email]>> wrote:
Hi William,

How are your users logging in right now?  Through basic authentication or through a custom mechanism?

-- Rick

On Mon, Nov 28, 2016 at 2:23 PM, William Krick <[hidden email]<mailto:[hidden email]>> wrote:
I'm working on a Stripes web application that provides links to tutorial files.  The users have to log into the application.  The problem is that the links to the tutorial files are accessible to anyone, whether they are logged into the application or not.

The links should only be accessible to logged-in users.

Is there some standard way that this is done?

Also, should the files be hosted outside of the web-accessible root directory?

I don't want to have to bundle the files inside the deployment war because they may need to be updated outside of the normal app deployment cycle.

------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]<mailto:[hidden email]>
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]<mailto:[hidden email]>
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Strips user access control of linked files

Rusty Wright-2
In reply to this post by krick
"There's a custom mechanism that creates security tokens."

I retired several years ago so this is all from my foggy geriatric memory and it may be a bogus suggestion.

If you're on Unix and your security token contains their user id then you could use this brute force method. On Unix it has a system call that will tell you if a user id is allowed access to a file, called "access()". I'm guessing that your web server is just pointing them to the directory directly and the web server is making the list of files.  If your stripes app makes the list of files instead then you can use the access() system call on each file before it adds it to the list of files to present them

But if they know the url to any of the files they're not allowed access to they could still type that url into the browser's address box and get to it so it's not the least bit secure.



On Mon, Nov 28, 2016 at 2:26 PM, William Krick <[hidden email]> wrote:
There's a custom mechanism that creates security tokens.  I'm not really sure how it works as this is a large application and the security framework was developed by another group.

I'm guessing that conceptually, a proper solution to "secure" file links would involve custom URLs that incorporate a security token string that are only valid for the current user in the current session.





On Mon, Nov 28, 2016 at 4:30 PM, Rick Grashel <[hidden email]> wrote:
Hi William,

How are your users logging in right now?  Through basic authentication or through a custom mechanism?

-- Rick

On Mon, Nov 28, 2016 at 2:23 PM, William Krick <[hidden email]> wrote:
I'm working on a Stripes web application that provides links to tutorial files.  The users have to log into the application.  The problem is that the links to the tutorial files are accessible to anyone, whether they are logged into the application or not.

The links should only be accessible to logged-in users.

Is there some standard way that this is done?

Also, should the files be hosted outside of the web-accessible root directory?

I don't want to have to bundle the files inside the deployment war because they may need to be updated outside of the normal app deployment cycle.

------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users