-1

I want to restrict the direct download of a file on my site (let's say www.me.com/asd.txt) but permit to my java applet in www.me.com/javaapplet.jar to be able to download it. Is there a simple way for this? I'm not sure if it's relevant, but the server is running Apache 2.2.24

Anticipated thanks for your help, sboda

ChrisGPT was on strike
  • 127,765
  • 105
  • 273
  • 257
sboda
  • 363
  • 4
  • 10
  • 1
    Have you actually tried anything you'd like to share with us? – Mad Physicist Feb 04 '14 at 16:26
  • It's possible to make it _difficult_ for someone to download it directly but impossible to prevent a determined user from accomplishing the task. You could send the file encrypted and decrypt it in the applet, but the applet would have to contain the decryption key and could be reverse engineered. – Jim Garrison Feb 04 '14 at 16:33
  • yes, because of the reverse engineering I'm afraid to do so (especially after I saw what JD-GUI is capable of), and I was curious if its possible to allow just for the applet to download the file. @Mad physicist no, I don't tried anything, because rewriting .htacces with rewriterules will not work in this case... – sboda Feb 04 '14 at 16:42
  • If the applet can download it, all someone has to do is watch the traffic with Wireshark to get the hidden URL. This question gets asked all the time and the answer is always the same: You can't. – Jim Garrison Feb 04 '14 at 16:47
  • @JimGarrison If the applet is using HTTPS to get the file, the attacker will have to break SSL/TLS to read the URL, which is much more work than just using Wireshark. – lreeder Feb 04 '14 at 17:03

2 Answers2

0

A secure way to do this is to require client certificate authentication for applets that want to download your file. Here's an example that uses the Apache HTTP Client.

You'll also need to create a self-signed client certificate that you provide to "valid" users through some other channel (like a web page with a required login), and you'll need to tell your HTTP server about the self-signed certificate. Here's a way to set up a self-signed client certificate if you are using Tomcat: Tomcat Server/Client Self-Signed SSL Certificate. Of course, other HTTP servers will have different procedures.

There are some issues using the browser certificates with the java plugin that will require your users do to some work exporting the browser certificates for use with the Java plugin. See http://download.java.net/jdk7/archive/b126/docs/technotes/guides/deployment/deployment-guide/upgrade-guide/article-16.html

Community
  • 1
  • 1
lreeder
  • 12,047
  • 2
  • 56
  • 65
  • Thanks, but I hoped that it is a way, that could exclude completely the user interaction! I think that I will give a try to your suggestion anyhow. – sboda Feb 05 '14 at 09:37
-1

Use a private key. The file can only be downloaded if the private key is passed along with the request.

Varun Achar
  • 14,781
  • 7
  • 57
  • 74