You can always fix this using Stripes.
Register the *.whatever extension to a Stripes action and use StreamingResolution to return the file content.

This is a poor solution since Web containers are much better at streaming content, but at least it will work.

Christian

De : William Krick <***@3feetunder.com<mailto:***@3feetunder.com>>
Répondre à : Stripes Users List <stripes-***@lists.sourceforge.net<mailto:stripes-***@lists.sourceforge.net>>
Date : Monday, November 28, 2016 at 5:26 PM
À : Stripes Users List <stripes-***@lists.sourceforge.net<mailto:stripes-***@lists.sourceforge.net>>
Objet : Re: [Stripes-users] Strips user access control of linked files

There's a custom mechanism that creates security tokens. I'm not really sure how it works as this is a large application and the security framework was developed by another group.

I'm guessing that conceptually, a proper solution to "secure" file links would involve custom URLs that incorporate a security token string that are only valid for the current user in the current session.





On Mon, Nov 28, 2016 at 4:30 PM, Rick Grashel <***@gmail.com<mailto:***@gmail.com>> wrote:
Hi William,

How are your users logging in right now? Through basic authentication or through a custom mechanism?

-- Rick

On Mon, Nov 28, 2016 at 2:23 PM, William Krick <***@3feetunder.com<mailto:***@3feetunder.com>> wrote:
I'm working on a Stripes web application that provides links to tutorial files. The users have to log into the application. The problem is that the links to the tutorial files are accessible to anyone, whether they are logged into the application or not.

The links should only be accessible to logged-in users.

Is there some standard way that this is done?

Also, should the files be hosted outside of the web-accessible root directory?

I don't want to have to bundle the files inside the deployment war because they may need to be updated outside of the normal app deployment cycle.

------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
Stripes-***@lists.sourceforge.net<mailto:Stripes-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

_______________________________________________
Stripes-users mailing list
Stripes-***@lists.sourceforge.net<mailto:Stripes-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------

"There's a custom mechanism that creates security tokens."

I retired several years ago so this is all from my foggy geriatric memory
and it may be a bogus suggestion.

If you're on Unix and your security token contains their user id then you
could use this brute force method. On Unix it has a system call that will
tell you if a user id is allowed access to a file, called "access()". I'm
guessing that your web server is just pointing them to the directory
directly and the web server is making the list of files. If your stripes
app makes the list of files instead then you can use the access() system
call on each file before it adds it to the list of files to present them

But if they know the url to any of the files they're not allowed access to
they could still type that url into the browser's address box and get to it
so it's not the least bit secure.