Auto generated email and restrict user to access only specific link or file.

[Chinnu55]

Hi,

In my application, we have huge file download option so if download takes more time then we are planning to give a alert message stating that "Your download request is still being processed and will receive an email notification with a link to download the file as soon your request is processed".

Now, we need to send auto generated email to user with the link to download,
for example : https://abc.com/downloads/xyz.xls. And we should restrict users from accessing or hacking other directories or files with in or outside the provided link i.e. trying to get list of files inside downloads directory https://abc.com/downloads or trying to access other files inside downloads directory https://abc.com/downloads/abc.xls.

I am using jdk1.4, WSAD 6.0.

Please let me know what would be the better approach for sending auto generated email and restricting users to access only to specific file and if any examples.

Thanks,
Chinnu

[Tolls]

The link should point to some code (say a servlet), supplying a parameter which will be a unique key.
That will allow the servlet to find the location of the requested file (for example, the key may be the id in a db which will hold the file location).
Then the servlet streams that file back.

It won't prevent someone attempting to guess at a key, but it will prevent listing the directory contents (which can now be stored away from the web directories).

[Chinnu55]

Thanks Tolls,

Please validate my understanding..

1. When we send a mail to the user with the link to download
a. It should contain a URL parameter like "https://test.trail.com/yourdownloadReady.do?id=1000x"
2. We should have a servlet class which picks the "id" value and queries the data to retrieve the file path associated with that "id".
3. If "id" is present, then download the file else "some error message".

Lets assume in table "ABC" we have id and fileLoc fields.
id fileLoc
1000x c:\download\acc.xls
1001y c:\download\bcc.xls
1002z c:\download\ccc.xls

But,
1. How to we restrict the user from trying to access other files like "https://test.trail.com/yourdownloadReady.do?id=1001y" which belongs to others?
Can we have another field "userId" in table "ABC" and check if the user is authorized, but how do we get userId when he click the link from email or Is there a better approach?

Thanks,
Chinnu.

[Tolls]

You could add a userId parameter as well, which would make it slightly harder to simply run through a set of numbers and see what turns up.
But if you are simply providing a link and no other login requirement from the user then you cannot prevent someone firing off random requests to see if anything comes back.

[Chinnu55]

Do you mean whenever a user clicks on the link which was sent through an email, should open a login page and ask the user to enter his/her credentials and if the credentials match then download, right?

[Tolls]

That's the only way to stick some proper security onto it, yes.
Anything else involves simply trying to make the id suitably large and random so as to make it hard to brute-force a valid document.

Of course, it all depends on what it is you're protecting. If a small possibility someone might chance upon a document isn't actually a problem then you might decide a large random id is good enough.

[Chinnu55]

Thanks Tolls.

Getting to learn many things from you.