28081

Securing Files over Web: Fine Grained Authorization Based File Access

Question:

I have a system where employees can upload files. There are three ways

Upload to my account in public, private or protected mode<br /> Upload to department account in public, private or protected mode<br /> Upload to organization account in public, private or protected mode

where public is visible to anyone, private to the group or person only and protected to anyone in the organization.

All the files for an organization are stored in a directory say, /files/<organizationId>/, on file server like

files<br /> +-- 234809<br /> | +img1.jpg<br /> | +doc1.pdf<br /> +-- 808234<br /> | +doc2.pdf

I am storing file-path and privacy level in DB. So, I can control whether to show link to a file URL to an user -- on a given page.

The problem is, I do not have any control over file's URL... so, if some one types the URL to img1.jpg in his browser's address bar, there is no way to know whether a logged in user is eligible to see img1.jpg.

Any suggestion?

<hr />

Its a Java application. However, there's a separate instance of Glassfish working as file-server. Since the app is not released yet, so we are open to adopt to a better file access strategy.

The user who are accessing the files may or may not be logged in. But we can always, authenticate a user by redirecting to login page if we know that the file that is being accessed, is a private or shared.

Thanks<br /> Nishant

Answer1:

You pose an interesting question and your understanding of the problem is correct.

Depending on the version of IIS that is serving the content, you may not even have access control if the content was within your vdir.

A typical solution to this type of scenario is to store the files in a directory that is NOT accessible to the internet and use an HttpHandler that IS protected and stream the files out.

There are several ways to go about this, the simplest being an HttpHandler mapped to a nonexistent directory, say /downloads, and parse the filename out of the RequestUri, set the proper content-type and write the file to Response.

In this case, your HttpHandler IS protected enabling you to determine access.

Answer2:

You could store the files outside of the public folders, and have some sort of route to catch any URL that is requesting a file from an organization. Then you can serve the file programmatically, rather than letting your web server do that without any control.

Recommend

  • Dictionary of nested lists to pandas DataFrame
  • Calculating distance between word/document vectors from a nested dictionary
  • Copy file, but error double free or corruption in C
  • Bit arrays usage and filtering in Elasticsearch
  • Excel not inserting leading zero
  • MVC - @Html.CheckBoxFor
  • Webgrid not refreshing after delete MVC
  • Ionic 2 storage is not cleaning up on uninstall - Only for signed APK
  • Jquery UI tool tip close icon
  • Is there any way to access browser form field suggestions from JavaScript?
  • Nant, Vault & Windows Integrated Authentication
  • Bug in WPF DataGrid
  • script to move all files from one location to another location
  • javascript inside java/jsp code
  • Sending data from AppleScript to FileMaker records
  • ILMerge & Keep Assembly Name
  • Join two tables and save into third-sql
  • htaccess rewriting URLs with multiple forward slashes
  • How to model a transition system with SPIN
  • Symfony2: How to get request parameter
  • Display Images one by one with next and previous functionality
  • ORA-29908: missing primary invocation for ancillary operator
  • jQuery tmpl and DataLink beta
  • Web-crawler for facebook in python
  • How can I estimate amount of memory left with calling System.gc()?
  • Circular dependency while pushing http interceptor
  • Run Powershell script from inside other Powershell script with dynamic redirection to file
  • Traverse Array and Display in markup
  • A cron job substitute?
  • KeystoneJS: Relationships in Admin UI not updating
  • AngularJs get employee from factory
  • Load html files in TinyMce
  • How to set the response of a form post action to a iframe source?
  • Change div Background jquery
  • Qt: Run a script BEFORE make
  • Authorize attributes not working in MVC 4
  • Busy indicator not showing up in wpf window [duplicate]
  • Converting MP3 duration time
  • Python/Django TangoWithDjango Models and Databases
  • Net Present Value in Excel for Grouped Recurring CF