Allowing download servlet only for users who are logged in

Question

I implemented a download servlet based on @wen's answer in Implementing a simple file download servlet

web.xml

<servlet>
     <servlet-name>DownloadServlet</servlet-name>
     <servlet-class>com.myapp.servlet.DownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
     <servlet-name>DownloadServlet</servlet-name>
     <url-pattern>/download</url-pattern>
</servlet-mapping>

DownloadServlet.java

public class DownloadServlet extends HttpServlet {


    protected void doGet( HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

         String id = request.getParameter("id");

         String fileName = "";
         String fileType = "";

How can I prevent the download servlet being activated by someone who is not logged in.

I have a ClientSession object that holds all the details of the login but I do not know how to access it from within the download servlet.

For instance, if I put a token in the request, then how could I validate this token against the ClientSession object.

Is the `ClientSession` stored inside `HttpSession`? You know, the one you can access with `request.getSession(false)`? — Kayaman, Mar 28 '17 at 14:48

score 1 · Accepted Answer · answered Mar 28 '17 at 14:52

You should get the client session from the HttpSession.

ClientSession clientSession = (ClientSession) request.getSession().getAttribute("client_session_info");

Naturally when you log in you must store your clientSession into the HttpSession like this:

session.setAttribute("client_session_info", clientSession);

I don't know how you log your user, but you should be able to access the http session object and store your data into it.

Allowing download servlet only for users who are logged in

1 Answers1