Hi
i am using apache tomcat.
i have a jsp file for entering user name and password and a java bean for authentication.
after user have been authenticated i create a session variable with the user name and another by the name of "authenticated" with the value true.
i want to allow file download only after the session variable "authentication" == true;
i also want to do some processing before the download (registering the user name who downloaded..)
the problem:
lets say i have the file "download.bin" inside directory "/downloads"
so anyone who go directly to url "downloads/download.bin" will get the file.
1.can i prevent direct download of the file
2. enable the file download only after session authentication.
thanks.
You can prevent the file from being directly downloaded. One common way to do that would be to put your /downloads folder inside of the WEB-INF. Create a servlet which checks your authentication flag and then sends the file to the user.
A users request may look something like the following:
http://localhost/myApp/downloadServlet?filename=download.bin
Since content inside the WEB-INF is not available publicly, you can hide your files there.
Related
I use current stable version of Nextcloud (nextcloud docker image). I want to disable an authentication window when user enter the site. Is it possible? I found only anonymous upload feature in official doc.
Nextcloud is build around the concept that each user has it's personal (cloud) folder where he can upload, edit and share files. Therefore you cannot access the "normal" user interface without a log in.
However it is possible for any user to share files/folders via a link and allow editing of them without login:
https://docs.nextcloud.com/server/latest/user_manual/en/files/sharing.html#public-link-shares
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/file_sharing_configuration.html
But just in case you rally want to give all anonymous visitors of your Nextcloud instance the option to upload and edit files anonymously, here is a possible solution:
Create a folder anonymous with your admin account
Share it via link and allow editing
In your admin settings, go towards Theming: https://your-domain.com/settings/admin/theming
Set Anonymous Usage as Name and your shared link as Web link
Now if you log out and access your Nextcloud instance, you'll see a link at the very bottom called Anonymous Usage that you (and your clients) can follow to upload files/folders or edit existing ones. All files uploaded via that link will be stored inside the anonymous folder and will be owned by your admin account. So make sure to set the storage quota on that account high enough.
Be ware that
by visiting your Nextcloud instance anyone could delete all files inside anonymous as he doesn't need to authenticate himself.
the visitors are not fully anonymous, as there are probably some log files of Nextcloud and your Webserver with their IP addresses.
Problem
I have a website that uses Basic Authentication and has multiple different logins. I'd like a way to tell, using javascript, the username of the person currently logged in.
I checked the cookies and the basic Authentication credentials are not stored there.
Stack
I'm using Apache configured with a .htaccess and .htpasswd file so using the backend to tell the frontend which user is logged in is not an option.
Goal
The problem I'm trying to solve is really simple, I want my website to display the username of the person currently logged in.
Not without a tiny bit of PHP. Javascript executes on the client and as you have already discovered, the username is not sent from the server so you will need something at the server end to send that userid.
Here is how:
As your page is generated at the server, it uses a small piece of PHP to add the username into your JavaScript and that's how JavaScript has it at the client to do with it what it needs.
Note, the userid wont change until the page is requested again by a different user, so it's not something that needs to be dynamic at the client side mid session.
PHP generates the page at server end when user logs in it includes it in the JavaScript code on the page. Where you want that name in your JavaScript you put it there using <?php echo $_SERVER['REMOTE_USER']; ?>. File extension will need to be .php for your file on the server that has your html and JavaScript code.
I have a secondary application that drops new folders into my Laravel application on a daily basis. The contents of the folder need to be publicly accessible because they're flash files with a number of assets placed in each day's folder, alongside static .html pages, .jpgs, and .swfs. These links are part of the secondary application's vendor-coded framework.
Moving the files from a non-web accessible folder using php doesn't seem like a good option. I've tried using readfile() and considered .htaccess, but I don't want a secondary login for my users.
Only users who have logins with my Laravel application should have access to these files. Is there some way I can protect access to any request inside this folder with Laravel's Auth system, not basic auth? With the understanding that the page requests inside that folder vary?
From extensive searching, I've found that Laravel cannot handle the protection of public folders with static assets. This is a web server configuration issue.
One solution would be to set a cookie that gets read by the web server and bounces the user if the cookie value does not match a predetermined value. But Laravel encrypts cookies and disposes of cookies not encrypted on each load. So that solution would only work if you use App::filter to process the cookie using php setcookie().
I am developing a sling WCMS.
When I call address [e.g. 'http://localhost:8080/apps/bcms/pages/test.jsp'] of a page in the browser, a save dialog box will appear and ask to save jsp file.
How to prevent jsp pages accessible via direct addressing?
Just remove the permissions for anonymous. The script resolution and execution runs with the script user.
My project use htaccess files to restrict access to the server resources. The access is granted with an HTTP authentication.
I want to leave HTTP authentication and use a php-session-like login authentication to check access.
What I want to do could be simply done in a script like:
<?php
session_start()
if ( !isset($_SESSION['user']) ) {
header('location : /login.php');
exit;
}
//...also we could use url rewriting to redirect all urls pointing to static resource through
// a script that will deliver its content or redirect to the login form depending on
// identification status
Using php for dynamic pages is not a problem, but how to I grand access to Static resource using a session id passed with cookies in apache ?
I've seen questions related to cookie based redirection in apache, but none of them treat about identifying a user based on a sessionId passed by cookie.
For HTML content, keep your "static" content in PHP scripts whose only "dynamic" feature is that they contain a common header included for checking login/session.
For images, css, javascript, documents, anything else, this more extensive discussion will be of help.