flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Javier Guerrero García <javi...@gmail.com>
Subject Re: access PDF doc from inside Flex app but not outside?
Date Mon, 07 Apr 2014 00:41:03 GMT
Two stupid questions here:

1. What about using a standard StageWebView to open a standard PDF using
standard HTTP auth? User don't have access to the URL, you don't have to
exit your application, files will only be available for those with the
credentials, ...

2. If we can asume up-to-date browsers, why not creating a faily simple php
that checks the user permissions and serves the PDF files as data uris?


On Mon, Apr 7, 2014 at 12:50 AM, Maurice Amsellem <
maurice.amsellem@systar.com> wrote:

> >but requires a business process allowing the Flex web app to access a
> client directory, which I'm not permitted to do.
> You mean Flex App is not allowed to write on the user's disk, even if
> allowed by the user?
> If that's the case, then you cannot use this approach.
>
> So you are left with the second option ( navigateToUrl to new window).
>
> >Otherwise, if I simply use the servlet URL for that first parameter in
> URLRequest(), couldn't someone use that same servlet URL outside of the web
> app by entering >it in a browser window any accomplish the same thing? If
> so, then I'd need to do what you first proposed by having the servlet
> figure out if the user that originally >submitted the download request was
> currently logged in,
>
> Since the url request is sent from the same browser as the flex app, it's
> in the same user session, so you can simply pass the session id in the url
> to the servlet call and check it in the servlet, and fail it doesn't match.
>
> The code was described in detail by Eugene, so refer to it:
> > var req:URLRequest=new URLRequest(SERVER_URL); var
> > > > variables:URLVariables=new URLVariables();
> > > > variables.command=DOWNLOAD_ATTACHMENT;
> > > > variables.attachmentId=attachment.id;
> > > > variables.sessionId=Params.getInstance().get("sessionId");
> > > > req.data=variables;
>
> http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/URLVariables.html#includeExamplesSummary
>
> If someone tries the same URL from a different browser, or at a different
> time, the sessionid will not be the same or will not exist at all, so it
> will fail.  So it's secured.
>
> Play with these options and try for yourself.
>
> Maurice
>
> -----Message d'origine-----
> De : modjklist@comcast.net [mailto:modjklist@comcast.net]
> Envoyé : dimanche 6 avril 2014 23:48
> À : users@flex.apache.org
> Objet : Re: access PDF doc from inside Flex app but not outside?
>
> Hi Maurice,
>
> I understand what you're saying. I guess I'm not asking my question well.
> Let me try again. The goal is to have the user click a button that
> downloads a PDF file and displays it in a browser window such that the file
> is derived from a non-public server directory (such as WEB-INF) and can
> therefore only be retrieved from the Flex-based web app.
>
> I can see from the servlet code below that the PDF file is returned in
> variable resp. If I use Eugene's approach, the file gets saved in the
> user's chosen directory. Thus, the user has no knowledge of where the file
> is located on the server, and there's no way for the user to share a link
> with a non-user to retrieve the file (although, of course, the user can
> always just e-mail the file itself to a non-user; not much I can do about
> that). That is one working process, but requires a business process
> allowing the Flex web app to access a client directory, which I'm not
> permitted to do.
>
> Alternatively, if I use the navigateToURL(new URLRequest(...)) approach, I
> was thinking that somehow the PDF file was still downloaded, and stored in
> a variable, and I was wondering how that variable gets used for the first
> parameter in URLRequest().
>
> Otherwise, if I simply use the servlet URL for that first parameter in
> URLRequest(), couldn't someone use that same servlet URL outside of the web
> app by entering it in a browser window any accomplish the same thing? If
> so, then I'd need to do what you first proposed by having the servlet
> figure out if the user that originally submitted the download request was
> currently logged in, etc. I do have a timestamp when the user logs in, but
> not when he/she logs out (since he/she could just close the browser window
> and I'd no knowledge of it, etc.). So, I'd prefer not to go down that
> route. But if there was a way to simply download the file to a variable
> (e.g. to cache memory) then open it (even if the user must first be asked
> if he/she wants to open it as a second step in the process, to get around
> any Flex security limitations, etc.), this would seem cleaner. Perhaps
> that's not possible though.
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message