If the content is highly sensitive, then using adobe's own method of securing it would be the simplest method. Encrypting / Password protecting a pdf file is pretty basic security that would stop the casual hacker.
Your service needs to prevent request record and replay attacks. Viewing unprotected byte stream within the browser is pretty weak. An unprotected byte stream response can be monitored and redirected. For a reasonably vetted model of securing requests and responses, you might look at how AWS SimpleDB, etc authenticates signed timestamped requests and encrypted responses. On Mon, Jan 7, 2013 at 11:23 AM, Flying-w <[email protected]>wrote: > Once again thanks for the suggestions. Email won't work here however, as > the GWT application is an interactive workflow management tool. When a > user wishes to see a PDF, they need to see it right now rather than wait > for a link to be supplied via email. If browser is the only way forward, > how can I do this? > > Thanks > Simon > > > On Monday, January 7, 2013 4:47:56 PM UTC, jchimene wrote: >> >> On 01/07/2013 09:23 AM, Flying-w wrote: >> > Thanks for the reply. The PDF content is highly valuable, so each >> > request must be authenticated and the pdf content must be delivered to >> > the browser securely. >> > >> > Recommendations for other delivery methods? >> >> There is no reason to deliver the content specifically to the browser. >> Most folks will use Acrobat to read the PDF, so the browser acts as an >> intermediary and increases the attack surface. The content is valuable >> (i.e. there is sufficient economic interest to analyze your delivery >> method and dupe the server), attacks are possible and economically >> beneficial to the attacker. >> >> I'd use email. Deliver the PDF as an attachment. There might be issues >> w/ filters. >> >> You might also consider emailing a one-time key as the query string in a >> URL, then downloading the PDF in response to that GET. As the key is >> associated w/ the user, there is no secondary login required. Also, you >> know (i.e. implement in code) that the request can only happen once. It >> might also be appropriate to implement a time window in which the URL is >> valid. >> > >> > Perhaps the ideal solution is to have the PDF content delivered in the >> > response >> > to a GWT RPC method say as a byte array. The problem is, I've no idea >> > how to get that byte stream rendered in the browser. >> Security by obscurity? No. >> >> Cheers, >> jec >> > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-web-toolkit/-/Q4U23qnnt5kJ. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- -- A. Stevko =========== "If everything seems under control, you're just not going fast enough." M. Andretti -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
