views:

54

answers:

2

I have a system where employees can upload files. There are three ways

Upload to my account in public, private or protected mode
Upload to department account in public, private or protected mode
Upload to organization account in public, private or protected mode

where public is visible to anyone, private to the group or person only and protected to anyone in the organization.

All the files for an organization are stored in a directory say, /files/<organizationId>/, on file server like

files
+-- 234809
| +img1.jpg
| +doc1.pdf
+-- 808234
| +doc2.pdf

I am storing file-path and privacy level in DB. So, I can control whether to show link to a file URL to an user -- on a given page.

The problem is, I do not have any control over file's URL... so, if some one types the URL to img1.jpg in his browser's address bar, there is no way to know whether a logged in user is eligible to see img1.jpg.

Any suggestion?


Its a Java application. However, there's a separate instance of Glassfish working as file-server. Since the app is not released yet, so we are open to adopt to a better file access strategy.

The user who are accessing the files may or may not be logged in. But we can always, authenticate a user by redirecting to login page if we know that the file that is being accessed, is a private or shared.

Thanks
Nishant

+1  A: 

You pose an interesting question and your understanding of the problem is correct.

Depending on the version of IIS that is serving the content, you may not even have access control if the content was within your vdir.

A typical solution to this type of scenario is to store the files in a directory that is NOT accessible to the internet and use an HttpHandler that IS protected and stream the files out.

There are several ways to go about this, the simplest being an HttpHandler mapped to a nonexistent directory, say /downloads, and parse the filename out of the RequestUri, set the proper content-type and write the file to Response.

In this case, your HttpHandler IS protected enabling you to determine access.

Sky Sanders
Yeah, this is neat. In this approach, probably the URL will have the context for the file. like http://abc.com/downloads/[some-encrypted-key]/img1.jpg and the HTTP handler will deduce the accessibility based on user credentials and required permission from the key. But a robot can still keep trying and access it, though really low probability.What I was thinking lately, that perhaps I can have a metadata file attached to each file like with img1.jpg there is a file img1.md, when user access the file the Handler read metadata and verify. But file reading on a page w/ 100 files may be painful.
Nishant
@Nishant - clarify in your question what platform you are using and if the users that will be accessing the 'downloads' are authenticated by a login and we can go from there.
Sky Sanders
Its a Java application. However, there's a separate instance of Glassfish working as file-server. Since the app is not released yet, so we are open to adopt to a better file access strategy. The user who are accessing the files may or may not be logged in. But we can always, authenticate a user by redirecting to login page if we know that the file that is being accessed, is a private or shared.
Nishant
sorry, I didn't return back. Basically, yeah -- what I have done is, created a pseudo path and pass file-upload-id. The app reads the permission for the file and verifies accessor's validity. Depending on the validity check, it either streams out the file or takes him to unauthorized exception page.
Nishant
A: 

You could store the files outside of the public folders, and have some sort of route to catch any URL that is requesting a file from an organization. Then you can serve the file programmatically, rather than letting your web server do that without any control.

Garrett
yeah, that's what we ended up doing.
Nishant