From: Jesse T. <jt...@oe...> - 2013-01-10 18:36:35
|
hmmm, I see that I seem to be using my own hyperlinks to download attachments. I doubt I did that intentionally, but since I store the files in a certain way, I know the final URL and the binary is stored in amazon s3 somewhere like you. so, either fixing or creating your own -- what is it that you really have to know when someone downloads? do you require the actual stream to authenticate that the user's session indeed called the URL like in cases of secured, banking type documents? that typically requires an expiring URL that gets tossed into a 'used byte bin' after the stream starts and in a case I had like that, some years ago -- I had to actually use WO to vend the bytes from a secure location behind the app firewall and avoided apache and the files could not be read by anything but the WO app etc. etc. etc. if you have such serious requirements for security, I'd guess you'd want your own URL handling anyway? not sure if that's helpful but... On Jan 10, 2013, at 4:56 AM, Robin Smith <rob...@cl...> wrote: > Hi Jesse > > I think we may talking about different things ERAttachmentLink is used > to create a hyperlink on your page to download ERAttachments in our > case from s3. Put simply the url that the link creates doesn't include > the session id. > > Many Thanks > > Robin > > On 9 January 2013 23:39, Jesse Tayler <jt...@oe...> wrote: >> >> well, me thinks file upload is done without a session that way because uploading files takes a long time and can cause session timeouts on its own. >> >> is that what you mean? >> >> as for your security issue? I am not certain why you loose visibility about who is logged in? certainly you should be able to do this in a reasonably secure way so I don't entirely follow what is going on there. >> >> On Jan 9, 2013, at 12:43 PM, Robin Smith <rob...@cl...> wrote: >> >>> Hi All >>> >>> We question regarding ERAttachmentLink, following the code through it >>> seems that it doesn't preserve the session when it creates the links. >>> The reason this is important is that using a custom handler to check >>> that our currently logged in user can access the given attachment we >>> lose all visibility of who is actually logged in. >>> >>> If the app is using cookies for its sessions all is fine as the >>> session is retrieved from the cookie, but if the session is in the url >>> then it all breaks down. I can obviously tweak ERAttachmentLink to >>> preserve the session if needed but before i started i wanted to know >>> if there is any reason why it was done in this way. >>> >>> Many Thanks >>> >>> Robin >>> >>> -- >>> >>> ------------------------------ >>> Click Travel Ltd >>> Taking business travel and expenses one step further >>> http://www.clicktravel.com >>> >>> Winner of "Best Business Travel Management Company" at the Business Travel >>> Awards (2012 & 2009) and the Travel Trade Gazette Awards (2011). We're also ranked >>> 22nd in the 2012 Sunday Times Hiscox Tech Track 100. >>> >>> For all the latest Click news please visit our blog: >>> http://clicktravel.com/blog >>> >>> Think: Do you really need to print this email? >>> >>> ------------------------------------------------------------------------------ >>> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >>> and much more. Keep your Java skills current with LearnJavaNow - >>> 200+ hours of step-by-step video tutorials by Java experts. >>> SALE $49.99 this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122612 >>> _______________________________________________ >>> Wonder-disc mailing list >>> Won...@li... >>> https://lists.sourceforge.net/lists/listinfo/wonder-disc >> > > > > -- > Robin Smith > Engineering Team Leader BEng (Hons) MBCS > > -- > > ------------------------------ > Click Travel Ltd > Taking business travel and expenses one step further > http://www.clicktravel.com > > Winner of "Best Business Travel Management Company" at the Business Travel > Awards (2012 & 2009) and the Travel Trade Gazette Awards (2011). We're also ranked > 22nd in the 2012 Sunday Times Hiscox Tech Track 100. > > For all the latest Click news please visit our blog: > http://clicktravel.com/blog > > Think: Do you really need to print this email? |