hi, why don't you simply work with the session mechanism provided by the servlet api to keep a list of documents the current user may view or to keep information about the user to check if he shall be allowed to view the requested document.
hope this helps! -mw ----- Original Message ----- From: "Michael Wills" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 20, 2001 4:59 PM Subject: Security Related Question > First, to qualify myself, I am relatively new to java. I am a RPG programmer > by trade. > > We have web application (purchased) that does it's own document distribution > that. However in our environment, we are somewhat modifying it to adapt to > our evironment, but let it handle the front end security. We distribute PDF > versions of reports via the intranet. We place each companies documents in > seperate folders then when we want them to see the reports. BTW, we are > testing this, it is not in production. I have a servlet written, that will > display the contents of the directory. We hard code the parameter into a > link to the servlet. But now we are wondering how secure it really has to > be. Right now, if the user figures out our directory structure, they can get > to any report. This is not good. > > Anyone have ideas as to how to secure the directory listing so they cannot > see other companies? Would encrypting the parameters work? > > Mike Wills > AS400 Programmer > [EMAIL PROTECTED] > > Comming soon to a web browser near you... koldark.net > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
