I have a GWT application that among many things shows PDFs that are stored on the server side. I have a security related question, as described below.
HttpSession session = getThreadLocalRequest().getSession();
session.setAttribute("USER", userId);
I have a separate servlet that is responsible for locating and delivering PDF content back to the browser when requested. When the user clicks a button in the GWT client, I open a new browser window and address the servlet to produce the desired PDF. A reference to the name of the PDF required is stored in a client side cookie (and transmitted in the HTTP request).
Window.open(GWT.getModuleBaseURL() + "Showpdf", "PDF Viewer", "");
The servlet needs to check whomever is making the request is authorised to view the PDF requested, and checks the user name stored in the HttpSession earlier:
HttpSession session = request.getSession();
String user = (String)session.getAttribute("USER");
// Do whatever is required to check the user can access the required PDF
Is this approach is safe from hacking? Is there a way the user name can be spoofed by a hacker to gain access to a PDF they are not authorised for? Is there another way of doing this?
Thanks
Simon
-- Simon
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/qPvb-wP7YFIJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment