use the security features that have been around with servlets for ages - HTTP basic auth, etc. a reading of the servlet spec should give you enough info. above and beyond that, individual servlet containers (especially commercial ones like weblogic, websphere) have extensions to that security model that let you do a lot more.
alternatively, why use servlets at all? a good perimeter guard system like SiteMinder or GetAccess will do the job of allowing you to protect individual URLs (i.e., your PDF docs, or whole directories - by company? - of the same) by the user's role. another thought comes to mind (though i'm not sure how accurate this is): just about every web server out there supports HTTP basic auth. maybe some also support the concept of user roles - you could then have one user role per company in your system, and assign appropriate permission to the company to protect individual docs in your system. ashwin -----Original Message----- From: Michael Weller [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 12:25 AM To: [EMAIL PROTECTED] Subject: Re: Security Related Question hi, why don't you simply work with the session mechanism provided by the servlet api to keep a list of documents the current user may view or to keep information about the user to check if he shall be allowed to view the requested document. hope this helps! -mw ----- Original Message ----- From: "Michael Wills" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 20, 2001 4:59 PM Subject: Security Related Question > First, to qualify myself, I am relatively new to java. I am a RPG programmer > by trade. > > We have web application (purchased) that does it's own document distribution > that. However in our environment, we are somewhat modifying it to adapt to > our evironment, but let it handle the front end security. We distribute PDF > versions of reports via the intranet. We place each companies documents in > seperate folders then when we want them to see the reports. BTW, we are > testing this, it is not in production. I have a servlet written, that will > display the contents of the directory. We hard code the parameter into a > link to the servlet. But now we are wondering how secure it really has to > be. Right now, if the user figures out our directory structure, they can get > to any report. This is not good. > > Anyone have ideas as to how to secure the directory listing so they cannot > see other companies? Would encrypting the parameters work? > > Mike Wills > AS400 Programmer > [EMAIL PROTECTED] > > Comming soon to a web browser near you... koldark.net > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
