This is how I do it - I have the server listening on both an internal and external interface and check that download attempts on the external one are secure before allowing it. The internal interface is plain FTP:
public FtpletResult onDownloadStart(FtpSession session, FtpRequest request) throws FtpException, IOException { if (isExternalInterface(session) && ! isSecureConnection(session)) { //security issue, either the control or data port is unsecure LOG.error("About to start a download, but either the control or data connection is unsecure. Download aborted."); writeMessage(session, FtpReply.REPLY_550_REQUESTED_ACTION_NOT_TAKEN, "Session is not secure. Issue PROT P command first."); return FtpletResult.SKIP; } private boolean isSecureConnection(FtpSession session) { return (session.isSecure() && session.getDataConnection().isSecure()); } Best Regards, Gary Bell