commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raphaël Piéroni <raphael_mail...@yahoo.fr>
Subject RE: Serving files through a Servlet?
Date Tue, 29 Jul 2003 07:21:14 GMT
The guard can be do with the turbine servlet with a 
org.apache.turbine.modules.screens.RawScreen

here is some code that do that kind of things
to understand fully that code, please refer to the turbine framework
http://jakarta.apache.org/turbine/


public class LoadSecuredResource extends RawScreen
{
    private String requestedResource = null;
    private String requestedKind = null;
    
    protected void doOutput(RunData runData) 
    throws Exception 
    {
        Log.debug("LoadSecuredStatistics.doOutput");
        boolean isContentManager = 
            PermissionChecker.isContentManager(runData);
        boolean isSalesManager = 
            PermissionChecker.isSalesManager(runData);
        boolean isPlatformAdministrator = 
            PermissionChecker.isPlatformAdministrator(runData);
        
        OutputStream out = runData.getResponse().getOutputStream();
        
        if (! (isContentManager || isSalesManager ||
isPlatformAdministrator)) {
            out.write(new byte[0]);

        } else if (isPlatformAdministrator) {
            out.write(new byte[0]);

        } else if (isSalesManager) {
            out.write(loadResource(requestedResource));

        } else if (isContentManager) {
	    if (canRead(runData.getUser(), requestedResource)) {
                out.write(loadResource(requestedResource));

	    } else {
                out.write(new byte[0]);
	    }

	} else {
            out.write(new byte[0]);

        }
    }
    
    protected String getContentType(RunData runData) 
    {
        Log.debug("LoadSecuredStatistics.doOutput");
        requestedResource =
runData.getParameters().getString("resource");
        
        String contentType = null;
        if (requestedResource.endsWith("csv")) {
            contentType = "txt/plain";
            requestedKind = "csv";
        } else if (requestedResource.endsWith("jpeg")) {
            contentType = "image/jpeg";
            requestedKind = "jpeg";
        } else {
            contentType = "txt/plain";
            requestedKind = "none";
        }
        
        return contentType;
    }
    private boolean canRead(User contentManager, String
requestedResource) 
    {
        boolean canRead = false;
        try {
            CustomerAccount account =
ModelUtils.getAccountFor(contentManager);
            Application application = account.getApplicationById(
                new Integer(requestedResource.substring(0, 
                requestedResource.indexOf('_'))).intValue() );
            if (application != null) {
                canRead = true;
            }
        } catch (Exception e) {
            // do nothing
        }
        return canRead;
    }
    
    private byte[] loadResource(String requestedResource) 
    throws Exception
    {
        File file = new File(Turbine.getRealPath("/statistics/" + 
            requestedResource));
        
        int fileLength = (int) file.length();
        DataInputStream  dis = new DataInputStream(new
FileInputStream(file));
        byte[] byteArray = new byte[fileLength];
        dis.readFully(byteArray);
        dis.close();

        return byteArray;
    }
}

 --- "Frost, Gary [IT]" <Gary.Frost@citigroup.com> a écrit : > Unless
I'm missing something it sounds like a Filter Servlet would do
> the
> trick here.
> 
> Put the following into ur web.xml
> 
>   <filter>
>     <filter-name>DownloadGuardFilter</filter-name>
>     <display-name>Guard the Downloads</display-name>
>     <description>Blah blah blah</description>
>     <filter-class>com.myproj.web.GuardFilter</filter-class>
>   </filter>
>   <filter-mapping>
>     <filter-name>DownloadGuardFilter</filter-name>
>     <url-pattern/downloaddir/*</url-pattern>
>   </filter-mapping>
> 
> This way your com.myproj.web.GuardFilter will get called for every
> access to
> /download
> 
> Have ur servlet implements Filter and your away, you'll have access
> to the
> url and the ServletRequest (cast to HttpServletRequest) and hence
> session,
> url etc, exactly as you require.
> 
> Gary
> 
> -----Original Message-----
> From: Robert Priest [mailto:Robert.Priest@bentley.com]
> Sent: Tuesday, 29 July 2003 2:05 AM
> To: 'Jakarta Commons Users List'
> Subject: RE: Serving files through a Servlet?
> 
> 
> Yes, they do.
> 
> Please allow me to do a bit more explaining...
> 
> Also (a bit more information) the URL for the download will contain a
> session id for the user. So if you will allow me to modify my
> example:
> 
> Say user A logs in and has a session id of "1" and wants to download
> abc.jar. He will be redirected to the url:
> http://localhost/myservlet/downloaddir/1/abc.jar
> 
> now I would like to put in place a guard servlet. So in myservlet's
> web.xml
> I will add 
> 
> <servlet-mapping>
> 	<servlet-name>com.myproj.web.GUARD</servlet-name>
> 	<url-pattern>/downloaddir/*</url-pattern>
> </servlet-mapping>
> 
> The intention is for the "Guard" servlet to:
> 
> 1. Inspect the url for sessionid ("1" in this case").
> 2. Get it and compare it to the current session id (session.getID()).
> 3. if the two match, then start an http download.
> 4. If not then, throw up an "Access Denied" error page.
> 
> That is pretty much all we need to do. I also don't want to add
> basic\Form
> authentication at this point for those directories. We simply want to
> match
> whether the session id in the url is the same as the one the current
> user is
> using.
> 
> That way, if another user, who will have a different session number
> (3 or
> what have you) tries to paste in:  
> 
>  http://localhost/myservlet/downloaddir/1/abc.jar
> 
> he\she will get an access denied.
> 
> Is that more understandable?
> 
> We are trying to prevent cutting and pasting of urls.
> 
> 
> 
> 
> -----Original Message-----
> From: Schalk [mailto:schalk@volume4.co.za]
> Sent: Monday, July 28, 2003 11:38 AM
> To: 'Jakarta Commons Users List'
> Subject: RE: Serving files through a Servlet?
> 
> 
> Robert
> 
> Do your users have to log in before accessing these downloadable
> files?
> 
> Kind Regards
> Schalk Neethling
> Volume4.Development.Multimedia.Branding
> emotionalize.conceptualize.visualize.realize
> Tel: +27125468436
> Fax: +27125468436
> email:schalk@volume4.co.za
> web: www.volume4.co.za
>  
> 
> :: -----Original Message-----
> :: From: Robert Priest [mailto:Robert.Priest@bentley.com]
> :: Sent: Monday, July 28, 2003 4:37 PM
> :: To: 'commons-user@jakarta.apache.org'
> :: Subject: RE: Serving files through a Servlet?
> :: 
> :: Hello All,
> :: 
> :: I am sorry. I was only subscribed to the Dev list, not the user. I
> am
> :: subscribed now however.
> :: 
> :: If someone replied to this message, could you forward it to me...
> Thank
> you.
> :: 
> :: 
> :: Also, I had another question:
> :: 
> :: How can I check for a Valid session id before allowing access to a
> file?
> :: 
> :: For example:
> :: 
> :: - I have a directory containing files for download:
> :: http://localhost/myservlet/downloaddir/
> :: - but before you download a file, say abc.jar (by using
> :: "http://localhost/myservlet/downloaddir/
> :: abc.jar"), I want to make sure that you have a valid session id.
> If your
> :: session id is invalid, you get an access denied page. if not, you
> are
> :: allowed to download.
> :: 
> :: so I guess what I want is to intercept any request to that
> "downloaddir"
> :: and perform session\security checking (by another servlet or jsp
> page)
> :: before allowing access...
> :: 
> :: 
> :: Is there something in  the commons package for that, or is this a
> question
> :: more for the "tomcat users" list?
> :: 
> :: 
> :: Thank you.
> :: >  -----Original Message-----
> :: > From: 	Robert Priest
> :: > Sent:	Monday, July 28, 2003 9:47 AM
> :: > To:	'commons-user@jakarta.apache.org'
> :: > Subject:	FW: Serving files through a Servlet?
> :: >
> :: >
> :: >
> :: >  -----Original Message-----
> :: > From: 	Robert Priest
> :: > Sent:	Monday, July 28, 2003 9:19 AM
> :: > To:	'jakarta-commons@jakarta.apache.org'
> :: > Subject:	Serving files through a Servlet?
> :: >
> :: > Is there anything in the jakarta-commons package that will allow
> one to
> :: > serve files through a servlet? I would like to have requests for
> :: > downloading files come through a servlet instead of serving them
> directly
> :: > from an "http" accessible directory...
> :: >
> :: >
> :: >
> :: 
> ::
> ---------------------------------------------------------------------
> :: To unsubscribe, e-mail:
> commons-user-unsubscribe@jakarta.apache.org
> :: For additional commands, e-mail:
> commons-user-help@jakarta.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
> 
=== message truncated === 

=====
------------------------------------
| Raphaël Piéroni                  |
| 33+ 223 351 354                  |
| mailto:rpieroni@dexem.com        |
| http://www.dexem.com             |
| mailing:raphael_mailing@yahoo.fr |
------------------------------------

___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

Mime
View raw message