jsp refers to an PDF streaming servlet - security question

Question

Somewhere behind our firewall sits a server full of PDFs. The PDFs contain private information so I need to restrict access to the PDFs. The public can log in to our web site and request their PDFs.

Our software went to production recently. We're redirecting them to the PDF server's URL. This fails because the public can't access our PDF server. This is a good thing though I would have preferred to prove this before the launch.

I wrote a PDF servlet that will stream a PDF to the users' browsers. Our JSPs refer to the servlet using an <Object> HTML tag. The prototype works fine.

I don't want The World to have direct access to the servlet since someone could fiddle with the URL and inappropriately grab a PDF.

Now, finally, my questions. Can the JSP refer to the PDF servlet successfully if the servlet is behind the firewall? Will the PDFs display in-line? Will the users get a "save?" dialog box?

Answer 1

Can the JSP refer to the PDF servlet successfully if the servlet is behind the firewall?

The PDF request just counts as a separate HTTP request. The servlet has no idea if it is behind a firewall or is been called by a JSP. The safest approach would be to check for presence of the user credentials in either the HTTP headers or in the HTTP session.

Will the PDFs display in-line? Will the users get a "save?" dialog box?

That depends on the presence of the Content-Disposition header and/or the browser's configuration. If the header is absent or explicitly set to inline and the browser supports the content type as specified in the Content-Type header, then it will be displayed inline, otherwise it will ask what to do with it: open in some application or save it. If the header is set to attachment, then it depends on the browser config. By default, it should pop a Save As dialog, but the user may have configured the browser to open it immediately in some external application instead.