3 Replies Latest reply: Apr 30, 2012 6:16 PM by EJP RSS

    File Access Control with Java EE

    933959
      Dear all,

      First of all, I'm not much exposed to Java EE and Java security...

      I'm planning to build a web application based on Java EE. One of the features that it does is to allow the users to download what they see on the web as a file format. What I'm concerned about this is the security. After generating the file, if the application stores the file in the file system and gives the url to the user... this may be hacked by others...and I don't like to see this...since the file can have some sensitive data.

      To prevent this, what kind of mechanism do you use? Can we just stream the file? or Does java EE support ACL for each session or each user to access the file? Or do I have to use kind of impersonation for each session bean?
        • 1. Re: File Access Control with Java EE
          EJP
          if the application stores the file in the file system and gives the url to the user
          Only if you allow PUT access to that URL.
          Can we just stream the file?
          Yes, just make sure you set a Content-Type and possibly a Content-Disposition. These are HTTP attributes, not Java or J2EE.
          Does java EE support ACL for each session or each user to access the file?
          Yes, if you are using container managed security, you can define all that in web.xml.
          Or do I have to use kind of impersonation for each session bean?
          Eh?
          • 2. Re: File Access Control with Java EE
            933959
            Could you share some materials so that I can understand how each solution works? Especially I'm interested in container managed security...

            Thank you.
            • 3. Re: File Access Control with Java EE
              EJP
              Servlet Specification 2.5 or 3, whichever applies to your EE container.