Question

fileID and Cloud security

1

Hello Forum users, At this moment I am working on a cloud application which is used by different Users which may not/cannot see each other data. But when I create files (like PDF), the browser show (when downloading) http://localhost:8080/file?fileID=46. If I log in with a other user and change the fileID to 46 (the fileID from an other user) i can download his file. Is it possible to prevent this form happening? ie a timestamp behind the file id? Kind regards, Mike

asked 2012-05-22

Mike Vermeer

1 answers

Sebastiaan van den Broek · Answer 1 · 2012-05-22

I don't think you set your security properly in the domain model because you can't access other people's objects like this normally if you configured your security to disallow this (with an xpath constraint).

Adding a timestamp after the file id would be 'security through obscurity' and not really safe.

So if you make sure (by setting security) the other user can't access the FileDocument object then he will also be unable to download the actual content of the file.