How to protect a file so it can only be accessed by java?

Question

Okay I have a folder say... http://oldserver.net/file/index.jar

How would I be able to protect the file "index.jar" from being downloaded from regular web browsers?

I've seen this done before, I just want to protect it from being accessed from web browsers, and keep it strictly java download access only.

What I mean by java download access only is, I could simply use a java downloader to download index.jar. But I can't download it via web browser.

How would I protect the file "index.jar" ?

Thanks:)

Answer 1

Technically, you can't. Whatever request HTTP Java makes, another HTTP client program can be made that makes the same.

However, you can make it slightly more difficult. You can put the file behind HTTP digest authentication and include the password in the JAR of the Java program the password or can check the user agent server-side.

See e.g. get_browser() and Apache 2 authorization and authentication.

Answer 2

You need to think about what this requirement means specifically - from the point of view of your server, how can it tell whether an incoming request is a "java download" or not?

In short, I don't think there's a way to do exactly what you're after. The classic way to secure resources would be by requiring authentication (i.e. you need a valid username and password to get the index.jar file) but it doesn't sound like that's what you want here.

Bear in mind that Java simply sends HTTP requests (or other protocols that it knows how to speak) down a connection. Any other program could send identical requests, so there's quite simply no way to enforce this limit in the way that you've specified.

One approach that might simulate what you're after is to not have the index.jar accessible via HTTP, so browsers wouldn't be able to get at it by default, and then access it via another protocol in Java (e.g. FTP, SFTP, whatever). Though as mentioned above, any tool that can speak this new protocol would be able to download the file.

Another approach would be to look for Java-specific headers, such as the User-Agent field (assuming this is populated with something recognisable). But again - this is not secure, as any tool could send through the same headers and impersonate a java download.

---

If you mean in your question that you only want your files to be downloaded by a specific Java application, then things get a bit more feasible. You can distribute an application that contains some authentication (e.g. public/private key pair) and have the server challenge for this when index.jar is requested. But even then this is dubious - by definition the Java app has to contain sufficient information to authenticate as itself; and by definition you have to distribute this information publically; so it wouldn't be difficult to extract the private keys and have some other application masquerade as your Java one.

---

Basically, I can't see any way around this issue given the confines you've stated. If there's a narrower scope you'd be willing to entertain you may be able to come up with a viable compromise, but right now the answer is simply "no".

Answer 3

You could create a web application that serves your file. Here you could check for the user agent string in the request and decide on that user agent string whether to serve the file or not. For this to work, your "java downloader" must have an identifiable user agent string and your application must "know" it. Of course any bad guy who knows this, could make his browser send you the same user agent string, so this in not really secure :-/

Answer 4

You can't. Sorry.

Answer 5

If your index.jar is very important, do not make it available for download in any of the methods mentioned. As soon as it is available for download and ends up on the client computer, inside java or not, it will be hacked. Some code should only run on the server.