Results 1 to 7 of 7
  1. #1
    Chinnu55 is offline Member
    Join Date
    Apr 2011
    Posts
    20
    Rep Power
    0

    Default Auto generated email and restrict user to access only specific link or file.

    Hi,

    In my application, we have huge file download option so if download takes more time then we are planning to give a alert message stating that "Your download request is still being processed and will receive an email notification with a link to download the file as soon your request is processed".

    Now, we need to send auto generated email to user with the link to download,
    for example : https://abc.com/downloads/xyz.xls. And we should restrict users from accessing or hacking other directories or files with in or outside the provided link i.e. trying to get list of files inside downloads directory https://abc.com/downloads or trying to access other files inside downloads directory https://abc.com/downloads/abc.xls.

    I am using jdk1.4, WSAD 6.0.

    Please let me know what would be the better approach for sending auto generated email and restricting users to access only to specific file and if any examples.

    Thanks,
    Chinnu

  2. #2
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,015
    Rep Power
    20

    Default

    The link should point to some code (say a servlet), supplying a parameter which will be a unique key.
    That will allow the servlet to find the location of the requested file (for example, the key may be the id in a db which will hold the file location).
    Then the servlet streams that file back.

    It won't prevent someone attempting to guess at a key, but it will prevent listing the directory contents (which can now be stored away from the web directories).

  3. #3
    Chinnu55 is offline Member
    Join Date
    Apr 2011
    Posts
    20
    Rep Power
    0

    Default

    Thanks Tolls,

    Please validate my understanding..

    1. When we send a mail to the user with the link to download
    a. It should contain a URL parameter like "https://test.trail.com/yourdownloadReady.do?id=1000x"
    2. We should have a servlet class which picks the "id" value and queries the data to retrieve the file path associated with that "id".
    3. If "id" is present, then download the file else "some error message".

    Lets assume in table "ABC" we have id and fileLoc fields.
    id fileLoc
    1000x c:\download\acc.xls
    1001y c:\download\bcc.xls
    1002z c:\download\ccc.xls

    But,
    1. How to we restrict the user from trying to access other files like "https://test.trail.com/yourdownloadReady.do?id=1001y" which belongs to others?
    Can we have another field "userId" in table "ABC" and check if the user is authorized, but how do we get userId when he click the link from email or Is there a better approach?

    Thanks,
    Chinnu.
    Last edited by Chinnu55; 05-23-2011 at 09:33 AM. Reason: By mistake got posted earlier.

  4. #4
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,015
    Rep Power
    20

    Default

    You could add a userId parameter as well, which would make it slightly harder to simply run through a set of numbers and see what turns up.
    But if you are simply providing a link and no other login requirement from the user then you cannot prevent someone firing off random requests to see if anything comes back.

  5. #5
    Chinnu55 is offline Member
    Join Date
    Apr 2011
    Posts
    20
    Rep Power
    0

    Default

    Do you mean whenever a user clicks on the link which was sent through an email, should open a login page and ask the user to enter his/her credentials and if the credentials match then download, right?

  6. #6
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,015
    Rep Power
    20

    Default

    That's the only way to stick some proper security onto it, yes.
    Anything else involves simply trying to make the id suitably large and random so as to make it hard to brute-force a valid document.

    Of course, it all depends on what it is you're protecting. If a small possibility someone might chance upon a document isn't actually a problem then you might decide a large random id is good enough.

  7. #7
    Chinnu55 is offline Member
    Join Date
    Apr 2011
    Posts
    20
    Rep Power
    0

Similar Threads

  1. auto generated keys
    By abhi_iips in forum New To Java
    Replies: 3
    Last Post: 03-13-2009, 07:14 AM
  2. [SOLVED] auto generated numbers
    By suprabha in forum Advanced Java
    Replies: 10
    Last Post: 08-14-2008, 05:13 AM
  3. logic to restrict the user from entering the password morethan thrice?
    By kavitha_164951 in forum JavaServer Pages (JSP) and JSTL
    Replies: 1
    Last Post: 08-12-2008, 02:18 PM
  4. Auto generated number system?
    By javanewbie in forum New To Java
    Replies: 2
    Last Post: 08-09-2008, 05:16 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •