How would a proxy server affect the equation? One thought was to use a proxy server to validate the user, and see if that authorization flag can be passed along to any embedded links within the page. We could then use a filter to inspect the HTTP header on the request and determine if the user has been authenticated before allowing the request to go forward.
Thanks in advance Dov On 12/13/05 12:13 PM, "Ryan Slack" <[EMAIL PROTECTED]> wrote: > > Dov Rosenberg wrote: >> Our application has its own security model that controls access to our >> information based on our own roles and permissions. We store files related >> to our application on the file system where our application is running. >> These associated files are served out by a web server. Our goal is to come >> up with a scheme where we could apply our security model to control access >> to these files via the web server. For example someone associates a PDF >> with some meta data. We don¹t want the user to be able to bookmark the >> underlying URL and email it to their friends for them to download without >> having them authenticated by our service. >> >> We are looking at a couple of different ideas. >> >> 1. Create a servlet filter to sit in front of the resources requests and >> somehow tie that into our application logic >> 2. Create a regular proxy type of servlet that can accept requests and >> validate them using our security model >> 3. Figure out a way to secure the filesystem using a Proxy server of some >> type. >> >> Any other thoughts or ideas are appreciated. Thanks in advance >> >> >> > Filter and container enforced security is mainly good for pattern based > criteria. Are you looking to give permissions based on a name pattern, > like *.pdf, or somedir/*.pdf? Otherwise you need a database of > permissions and mappings, such as what Jaas/SecurityManager based > applications rely on. > On top of that, you options may be limited by how your security model > works. For example, you /could/ use a seperate servlet ala web.xml, but > if your security model relies on all requests going through one servlet, > you're better off with a filter. > > Savy? > --Ryan > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
