0

I'm developing an desktop application in JAVA (J2SE).
my App. stores some data about users. the App. is multi user and will be installed on a single station.
each user can have some documents that should be stored in file-system (e.g. image, audio, ...)
I need to protect these files from be accessed directly by unauthorised users.
Users are defined in app itself (i need files be accessible only via application)

How can I protect these files from unauthorised access?

I thought about storing files in another system and access them via network.
How Can I do this (store/ retrieve files in a secured network computer) in JAVA?

Is this a good method? any better solution?

Thanks

EDIT:
decription:
My users are defined in application: all users use same computer; all users login with the same username in OS; each user logs in app with their own user/pass; each user should have access to files that application decides.
So users must not be able to open a file-manager and traverse through directories that files are stored in & copy them (while doesn't have access to them)

Ariyan
  • 14,760
  • 31
  • 112
  • 175
  • 1
    I'm a bit confused. Is this a desktop app or a mobile app? Does this app needs a server? How is a "user" defined here? OS user account, or account based on some database? – nhahtdh May 29 '12 at 06:29
  • @nhahtdh: Desktop; J2SE; I thought taking about "single station" or network computer shows it. I edited the question and added Desktop and j2se – Ariyan May 29 '12 at 06:40
  • @nhahtdh: Accounts are defined in app itself (i need files be accessible only with application) – Ariyan May 29 '12 at 07:33
  • Please include these information clearly in the question. I probably will not answer, since I am not sure how this should be done. – nhahtdh May 29 '12 at 07:36

3 Answers3

1

Instead of rolling out your own security solution - which will be cumbersome, almost certainly buggy, and with a high probability vulnerable to various attacks - simply use the Operating System's filesystem permission.

The easiest way to do that is to write your user data to the home directory of the current user. Other users will not be able to access it unless the user explicitly configures the directory's permissions to allow them.

If you want, you can also further restrict the permissions of your directory.

Community
  • 1
  • 1
phihag
  • 278,196
  • 72
  • 453
  • 469
  • My users are defined in application: all users use same computer; all users login with the same username in OS; each user logs in app with their own user/pass; each user should have access to files that application decides. – Ariyan May 29 '12 at 07:36
1

Since all users use the same OS login account, it is impossible to use OS's facilities to enforce access control, since the OS recognizes everyone as one person. I can only think of one (not-so-good, or quite bad actually) solution that doesn't require another computer: encrypt the files with each of the user's password. However, this means that all the files have to be re-encrypted every time the user changes password, which introduces unacceptable delays and uses a lot of computational power.

There are plenty of other methods to hide the information from the user and only allow access from your program. Hiding can prevent most mediocre users from accessing data, but determined people with programming skill will be able to make the data accessible. A simple example is to xor all the bytes in the program, and/or permute the bytes with a number of fixed pattern. If the data is not that critical, this is a possible "solution".

I am not sure if there are any other method without requiring another computer.

So that leaves only the option of storing the information on a separated computer. I think it is possible, but I don't know the details here.

Then there is this problem: user A opens a file from his app account, work with it, then he logs out of the app account, and logs out of common OS account, then user B logs into the common OS account. You have to make sure that after user A logs out of app account, user B cannot see the file user A was working on.

I am not sure if this should be taken care of the app or not.

nhahtdh
  • 55,989
  • 15
  • 126
  • 162
0

One option would be to use SFTP. This way you can leverage the SFTP security features. But off course this will need some plumbing code to be written around it.

Community
  • 1
  • 1
Santosh
  • 17,667
  • 4
  • 54
  • 79