tags:

views:

54

answers:

2
+2  Q: 

Securing Files over Web: Fine Grained Authorization Based File Access

I have a system where employees can upload files. There are three ways

Upload to my account in public, private or protected mode
Upload to department account in public, private or protected mode
Upload to organization account in public, private or protected mode

where public is visible to anyone, private to the group or person only and protected to anyone in the organization.

All the files for an organization are stored in a directory say, /files/<organizationId>/, on file server like

files
+-- 234809
| +img1.jpg
| +doc1.pdf
+-- 808234
| +doc2.pdf

I am storing file-path and privacy level in DB. So, I can control whether to show link to a file URL to an user -- on a given page.

The problem is, I do not have any control over file's URL... so, if some one types the URL to img1.jpg in his browser's address bar, there is no way to know whether a logged in user is eligible to see img1.jpg.

Any suggestion?

Its a Java application. However, there's a separate instance of Glassfish working as file-server. Since the app is not released yet, so we are open to adopt to a better file access strategy.

The user who are accessing the files may or may not be logged in. But we can always, authenticate a user by redirecting to login page if we know that the file that is being accessed, is a private or shared.

Thanks
Nishant

+1  A: 

You pose an interesting question and your understanding of the problem is correct.

Depending on the version of IIS that is serving the content, you may not even have access control if the content was within your vdir.

A typical solution to this type of scenario is to store the files in a directory that is NOT accessible to the internet and use an HttpHandler that IS protected and stream the files out.

There are several ways to go about this, the simplest being an HttpHandler mapped to a nonexistent directory, say /downloads, and parse the filename out of the RequestUri, set the proper content-type and write the file to Response.

In this case, your HttpHandler IS protected enabling you to determine access.

Sky Sanders  2010-03-21 16:51:04
Yeah, this is neat. In this approach, probably the URL will have the context for the file. like http://abc.com/downloads/[some-encrypted-key]/img1.jpg and the HTTP handler will deduce the accessibility based on user credentials and required permission from the key. But a robot can still keep trying and access it, though really low probability.What I was thinking lately, that perhaps I can have a metadata file attached to each file like with img1.jpg there is a file img1.md, when user access the file the Handler read metadata and verify. But file reading on a page w/ 100 files may be painful.
Nishant  2010-03-22 19:07:29
@Nishant - clarify in your question what platform you are using and if the users that will be accessing the 'downloads' are authenticated by a login and we can go from there.
Sky Sanders  2010-03-22 19:34:48
Its a Java application. However, there's a separate instance of Glassfish working as file-server. Since the app is not released yet, so we are open to adopt to a better file access strategy. The user who are accessing the files may or may not be logged in. But we can always, authenticate a user by redirecting to login page if we know that the file that is being accessed, is a private or shared.
Nishant  2010-03-22 20:36:25
sorry, I didn't return back. Basically, yeah -- what I have done is, created a pseudo path and pass file-upload-id. The app reads the permission for the file and verifies accessor's validity. Depending on the validity check, it either streams out the file or takes him to unauthorized exception page.
Nishant  2010-08-24 20:56:14
A: 

You could store the files outside of the public folders, and have some sort of route to catch any URL that is requesting a file from an organization. Then you can serve the file programmatically, rather than letting your web server do that without any control.

Garrett  2010-03-21 16:54:30
yeah, that's what we ended up doing.
Nishant  2010-08-24 20:57:38

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security