>but requires a business process allowing the Flex web app to access a client
>directory, which I'm not permitted to do.
You mean Flex App is not allowed to write on the user's disk, even if allowed
by the user?
If that's the case, then you cannot use this approach.
So you are left with the second option ( navigateToUrl to new window).
>Otherwise, if I simply use the servlet URL for that first parameter in
>URLRequest(), couldn't someone use that same servlet URL outside of the web
>app by entering >it in a browser window any accomplish the same thing? If so,
>then I'd need to do what you first proposed by having the servlet figure out
>if the user that originally >submitted the download request was currently
>logged in,
Since the url request is sent from the same browser as the flex app, it's in
the same user session, so you can simply pass the session id in the url to the
servlet call and check it in the servlet, and fail it doesn't match.
The code was described in detail by Eugene, so refer to it:
> var req:URLRequest=new URLRequest(SERVER_URL); var
> > > variables:URLVariables=new URLVariables();
> > > variables.command=DOWNLOAD_ATTACHMENT;
> > > variables.attachmentId=attachment.id;
> > > variables.sessionId=Params.getInstance().get("sessionId");
> > > req.data=variables;
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/URLVariables.html#includeExamplesSummary
If someone tries the same URL from a different browser, or at a different time,
the sessionid will not be the same or will not exist at all, so it will fail.
So it's secured.
Play with these options and try for yourself.
Maurice
-----Message d'origine-----
De : [email protected] [mailto:[email protected]]
Envoyé : dimanche 6 avril 2014 23:48
À : [email protected]
Objet : Re: access PDF doc from inside Flex app but not outside?
Hi Maurice,
I understand what you're saying. I guess I'm not asking my question well. Let
me try again. The goal is to have the user click a button that downloads a PDF
file and displays it in a browser window such that the file is derived from a
non-public server directory (such as WEB-INF) and can therefore only be
retrieved from the Flex-based web app.
I can see from the servlet code below that the PDF file is returned in variable
resp. If I use Eugene's approach, the file gets saved in the user's chosen
directory. Thus, the user has no knowledge of where the file is located on the
server, and there's no way for the user to share a link with a non-user to
retrieve the file (although, of course, the user can always just e-mail the
file itself to a non-user; not much I can do about that). That is one working
process, but requires a business process allowing the Flex web app to access a
client directory, which I'm not permitted to do.
Alternatively, if I use the navigateToURL(new URLRequest(...)) approach, I was
thinking that somehow the PDF file was still downloaded, and stored in a
variable, and I was wondering how that variable gets used for the first
parameter in URLRequest().
Otherwise, if I simply use the servlet URL for that first parameter in
URLRequest(), couldn't someone use that same servlet URL outside of the web app
by entering it in a browser window any accomplish the same thing? If so, then
I'd need to do what you first proposed by having the servlet figure out if the
user that originally submitted the download request was currently logged in,
etc. I do have a timestamp when the user logs in, but not when he/she logs out
(since he/she could just close the browser window and I'd no knowledge of it,
etc.). So, I'd prefer not to go down that route. But if there was a way to
simply download the file to a variable (e.g. to cache memory) then open it
(even if the user must first be asked if he/she wants to open it as a second
step in the process, to get around any Flex security limitations, etc.), this
would seem cleaner. Perhaps that's not possible though.
