Alpha Video Training
Results 1 to 24 of 24

Thread: Deny PDF viewing through URL

  1. #1
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Deny PDF viewing through URL

    I'm trying to restrict PDF access to only logged in users that have group permission to the link field in a component I setup. I have the Security Framework enabled on the Application Server, and security group settings set on my component, but can't seem to open any PDF through the component. I get a 403 error message saying "Your security credentials do not allow access to this resource."

    I found that I could open PDF files by always allowing the file type (*.pdf) via Page Security Assignment. The problem with this is that it's always allowed, so a person could easily open a PDF through the URL without logging in.

    How do I restrict the PDF viewing to only logged in users that belong to a particular group through component I created.

    BTW, these are PDFs that are already generated, meaning they aren't created on the fly from Alpha 5. Rather these PDFs were generated through another application, and transferred to the Application Server for viewing through A5W pages.

    Any help will be great.

    Thanks

  2. #2
    Member Bob Moore's Avatar
    Real Name
    Robert Moore
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    440

    Default Re: Deny PDF viewing through URL

    David,

    A nice way to implemment this would be with security assignments to folders and files the same way unix does. I don't think the WAS security system includes this.

    You can encrypt the pdf file and require a login password to view the file. You could also hide the URL through the use of a flash button and javascript to launch a window with limited controls.

  3. #3
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Re: Deny PDF viewing through URL

    I have WAS installed on a Windows machine, but I am familiar with UNIX permissions. What's the Windows security group that needs access to the folder that contains the PDFs, and do I only give read only permission? But, if a user that doesn't belong to the Alpha security group to open PDF files, could they view it by typing in the URL after logging in? If this can't be done, I think Alpha Software should develop this as how would people comply with confidentiality of data and files because unauthorized users can view data that they shouldn't be viewing?

    I'm still afraid that someone could accidentally find the PDF, even though I had a flash button or js script to limit what the user can see in the new window.

    Thanks.

  4. #4
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,832

    Default Re: Deny PDF viewing through URL

    Its very common on websites to have a link that says "Click here to download this document" and when you click it, you get a new page that says "OK, click here to view that document you expected to see".

    So, don't provide a link that directly opens the PDF. Instead provide a link to a new A5W page and on that page provide a link to the PDF (probably served up by a grid component). Difference? You can control who gets to that 2nd page via Group Security or other measures. Using a calculated field you can also toggle that link field to either be a static text value of "SORRY YOU DON'T HAVE ACCESS" (or not appear at all) or a valid hyperlink to the 2nd page.

    You can also store the PDFs outside of your document root and then use xbasic to copy that PDF from its outside location to a location within the virtual root (so your user can get to it with their browser) and only then will the link to the PDF work. When you copy it, also create a new folder to put it in. You've seen those 128bit obscure folder names when you use sophisticated web applications. Later you can delete that whole folder. They can't guess the URL in that case.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  5. #5
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Re: Deny PDF viewing through URL

    Thanks Steve for replying. Let me give some background info, we are trying to create a secure statement presentment online for our customers, thus reason for confidentiality. We cannot afford to have a hacker figure out how to get access to the folder that contains the PDFs.

    Everything is still in a test phase on our internal WAS test server, which we have a PDF folder that the A5W pages can access PDF files. We have dummy PDFs to simulate viewing PDF files. In terms of security, should the PDF files be on a separate WAS server? If so, how would the A5W pages pull the PDF files over for viewing?

    I'm still thinking that the folder that contains the PDFs still needs to be accessed by the WAS server, so potentially could be found through the URL if File Access for *.pdf is always allowed, correct? If I disable the file access to *.pdf, even if I put the PDF into a component, the page would error out, correct?

    BTW, how do you get a PDF to appear in a component?

    Thanks

  6. #6
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,832

    Default Re: Deny PDF viewing through URL

    I thought I answered all that. If the PDF is anywhere under the document root, someone can 'guess' the URL. If you follow my method, you make it temporarily available under the root, but store it outside, so no one can access other than during that brief period of time.

    Another option is to use obsecurity; make either the PDF name or a subfolder so complex, no one can guess it.

    You 'put a PDF in a component' by creating a link field with the full HTTP:\\ path to the PDF file.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  7. #7
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Re: Deny PDF viewing through URL

    You can also store the PDFs outside of your document root and then use xbasic to copy that PDF from its outside location to a location within the virtual root (so your user can get to it with their browser) and only then will the link to the PDF work. When you copy it, also create a new folder to put it in. You've seen those 128bit obscure folder names when you use sophisticated web applications. Later you can delete that whole folder.
    Hi Steve,
    I never really caught on to what you said about copying and deleting the PDF, until now (newbie moment - :)). What would be the code I would use to create a temporary folder, copy the selected PDF from the root folder to that temp folder, and when they close out the browser delete both the temporary folder and PDF.

    Thanks,
    -David

  8. #8
    Member Jesse Sanders's Avatar
    Real Name
    Jesse Sanders
    Join Date
    Jul 2000
    Location
    Lancaster PA
    Posts
    107

    Default Re: Deny PDF viewing through URL

    David,
    I also deliver PDF reports to my custmers over the web, but I do it a little differently. The data for the PDF is in a DBF record. My customer needs choose a record through a grid component.
    The grid has a link to aw5 page.
    "Print_Man.a5w?Sample_No={Sample_No}"

    The link has the following code:
    Code:
    if Eval_Valid("Sample_No")
       dim filter as c
       dim order as c
       filter = "Sample_No = " + Quote(Sample_No)
       Order = ""
       Dim filename as c 
       filename = session.session_folder + chr(92) + "Man_results.pdf"
       filename = report.saveas("Manure_Auto_Print@[PathAlias.ADB_Path]\Manure_data.dbf","pdf",filter,order,filename,.f.)
       if file.exists(filename)  
          response.redirect(session.session_url + "Man_Results.pdf?" + time("hms3"))
       end if
       end 
    else 
    %>
    end if
    %>
    This way I creat the PDF's on the fly using a report format. I do not have to store, move or call them on the server. I make them as they are needed and they are destroyed when the session is over.
    I control which customers see which records with filters on the grid so no one can see anothers data, and without a secure login no one gets near the data page.

    I hope this helps.
    Jesse
    Last edited by AaronBBrown; 07-31-2007 at 04:13 PM.

  9. #9
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Re: Deny PDF viewing through URL

    Hi Jesse,
    That's great, and I'll keep that in mind. Similar to what you have, I have links to my PDFs in a grid, but the PDFs that I have are not reports, so they can't be generated on the fly. I've created the PDFs before hand, and I only want certain users to see it, thus requiring them to login. The bad thing is that, if I want the users to see it I have to Always Allow the PDF extension, which allows users to get to the PDFs without logging in. It's too bad that Alpha 5 doesn't have extensions or maybe folders that require users to login before viewing them, instead of an all or nothing deal.

    Anyway, to work around this, I thought Steve's idea was pretty good. Would you know the code to copy PDFs from a restricted folder to the site folder (maybe in a randomly generated folder name), serve it to the person requesting it, and delete it when they close it?

    Thanks,
    -David

  10. #10
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,682

    Default Re: Deny PDF viewing through URL

    There's no need to copy things around and you do not need to configure your security to always allow or deny PDF files.

    Store your PDF files in a directory outside of your web root, so they are never directly accessible. Then use an A5W page to provide access to them. You can either set security on that A5W page as desired, or you can use some Xbasic in it to allow or deny access based on the user and/or requested PDF.

    An example of the A5W page would be:

    Code:
    <%a5
    dim pdf as c
    dim pdf_folder as c = "c:\my_pdf_library\\"
    dim pdf_file as c
    
    if PDF = "" then
        ? "Please specify a PDF file to view"
    else
        pdf_file = pdf_folder + pdf
        if file.exists(pdf_file) then
            Response.body = file.to_blob(pdf_file)
            Response.mime_type = "application/pdf"
        else
            ? "Sorry, that PDF does not exist"
        end if
    end if
    %>
    With this file, you would then create a link such as http://yourserver/pdfviewer.a5w?pdf=foo.pdf The security framework would then allow or deny the request based on your settings. If allowed, it would look for c:\my_pdf_library\foo.pdf and display it in the browser if it exists on the server. To access notfoo.pdf, you would change the URL to http://yourserver/pdfviewer.a5w?pdf=notfoo.pdf

    With this setup, the security setting for .PDF files does not matter because you are not accessing a .PDF file with the browser. Rather you are accessing an A5W page, which can have any security setting you'd like, and it is returning PDF content. The browser itself does not care that you requested something.a5w instead of something.pdf, it looks at the MIME type (which the example set to "application/pdf") and handles this as it does any other PDF content.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  11. #11
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,682

    Default Re: Deny PDF viewing through URL

    Also, if you still want to copy files to a temporary location for web access, use the session folder. It is unique to the session, cannot be accessed by a different user, and is automatically cleaned up for you. Look up session.session_folder and session.session_url if you want to go this route.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  12. #12
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Re: Deny PDF viewing through URL

    All right!!! Thanks Lenny.

    Both solutions sound like they would work for me. I'll give them a try. If I come across any problems, I'll repost.

    Thanks again,
    -David

  13. #13
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Re: Deny PDF viewing through URL

    <%a5
    dim pdf as c
    dim pdf_folder as c = "C:\PDFs\\"
    dim pdf_file as c
    if eval_valid("request.variables.pdf") = .T. then
    pdf = request.variables.pdf
    else
    pdf = ""
    end if

    if pdf = "" then
    ? "<font color=\"red\" size=\"3\">Please specify a PDF file to view</font>"
    else
    pdf_file = pdf_folder+""+pdf
    if file.exists(pdf_file) then
    Response.body=file.to_blob(pdf_file)
    Response.mime_type="application/pdf"
    else
    ? "<font color=\"red\" size=\"3\">Sorry, that PDF does not exist</font>"
    ? "<br>Filename and path: "+pdf_file
    end if
    end if
    %>
    Hi Lenny,
    I tried the blob method and the PDF didn't show up. I just showed a blank screen. I've also read in the Alpha manual that file.to_blob() is only for 8-bit BMP and JPG files. Could that be the reason why it's not working? Also, I could find anyting on Response.body and Response.mime_type Response System variables. Do these variables exist?

    I prefer to do it this way instead of copying files, but if copying files is the only way then I'll try it that way.

    Thanks,
    -David

  14. #14
    Member
    Real Name
    David Watanabe
    Join Date
    Jan 2007
    Posts
    17

    Default Re: Deny PDF viewing through URL

    Can anyone help me with this?

    Thanks,
    -David

  15. #15
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,832

    Default Re: Deny PDF viewing through URL

    David,

    I came around to this, needed it in an application. I also did not get Lenny's code to work, just produced a blank screen. But the code below did work, except it offers up a dialog to Save or Open the PDF, which is an added step if you just want to open it. But it works.

    The Response.Add_Header... section came from another forum post: http://msgboard.alphasoftware.com/al...ad.php?t=66265

    What's good about this code is that no one can guess the URL to bring up some other client's document. The variable named "pdf" comes from the link on a grid and contains a partial filename, the __protected__ session variable is then embedded as part of the document name, making it impossible to type a URL that will pull up a document (technically, the user can guess another one of their documemts, but not concerned about that.)

    Code:
    dim pdf as c
    dim pdf_folder as c = "[PathAlias.DOC_Path]\\" 
    dim pdf_file as c
    if eval_valid("session.__protected__acct")
    if PDF = "" then
        ? "No document to display. Please close this window."
    else
        pdf_file = pdf_folder + session.__protected__acct + pdf
        if file.exists(pdf_file) then
        	?"<BR>Exists<BR>"
    		RESPONSE.ADD_HEADER("Content-Length: " + FILE_GET_SIZE(pdf_file))
    		RESPONSE.ADD_HEADER("Pragma: no-cache")
    		RESPONSE.ADD_HEADER("Expires: 0")
    		response.mime_type = "application/octet-stream"
    		RESPONSE.ADD_HEADER("Content-Type: application/octet-stream")
    		RESPONSE.ADD_HEADER("Content-Disposition: attachment; filename=" + session.__protected__acct + pdf)
    		RESPONSE.ADD_HEADER("Content-Transfer-Encoding: binary")
    
    '    	Response.mime_type = "application/x-pdf"
    		?file.to_blob(pdf_file)
    	    else
    		? "No document to display. Please close this window."
       end if
    end if
    end if
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  16. #16
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,682

    Default Re: Deny PDF viewing through URL

    I'm sorry for not getting back to this thread sooner. The problem with my example is the line
    Code:
    Response.body = file.to_blob(pdf_file)
    You should change it to
    Code:
    ? file.to_blob(pdf_file)
    Steve, your code sets a bunch of extra headers
    • You set the content length which is not needed because the server does this anyway. You setting it shouldn't hurt, but it slows the processing down a bit.
    • You explicitly tell the browser to prompt to save the file by setting content disposition and the mime type to octet stream. It sounds like you don't want this behavior, so you can remove the content disposition and use the application/pdf mime type.
    • You need to remove the transfer encoding header - the response has no transfer encoding when it is sent by the server so this will cause unexpected and unpredictable behavior in browser when they try to decode it.


    You also have headers to prevent the PDF from being cached by the browser. This may or may not be desired by others, so I just wanted to point out their function.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  17. #17
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,832

    Default Re: Deny PDF viewing through URL

    Unfortunately it doesn't work with mime_type of pdf, even though I note seveal forum posts indicating success.

    response.mime_type = "application/pdf" opens in notepad as garbage.
    response.mime_type = "application/x-pdf" opens in browser as garbage.

    It only works if I include all three of these lines and omit the application/pdf line. Leaving out any line either opened as garbage in the browser or presented a 'corrupt pdf' error message.

    Code:
    response.mime_type = "application/octet-stream"
    RESPONSE.ADD_HEADER("Content-Type: application/octet-stream")
    RESPONSE.ADD_HEADER("Content-Disposition: attachment; filename=" + session.__protected__acct + pdf)
    I'm using a large pdf as an example, 30 pages of text. V8 of Adbobe Reader.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  18. #18
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,682

    Default Re: Deny PDF viewing through URL

    Can you please email me a copy of your PDF to test with?

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  19. #19
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,832

    Default Re: Deny PDF viewing through URL

    OK, I worked with Lenny on this offline. It works now, as Lenny described. They key is that the A5W page must only have the xbasic code, none of the HTML tags that are normally part of a A5W page. The final code is below and that is ALL that should be in the A5W page source.

    The protected session variable is my own invention and becomes part of the document is seeks, and so no one can "guess" a valid PDF document name. If they access the A5W page with no pdf= parameter, it just says "No document to display...".

    Code:
    <%a5 
    dim pdf as c
    dim pdf_folder as c = "[PathAlias.DOC_Path]\\" 
    dim pdf_file as c
    if eval_valid("session.__protected__acct")
    	if PDF = "" then
    	    ? "No document to display. Please press the Back button."
    	else
    	    pdf_file = pdf_folder + session.__protected__acct + pdf
    	    if file.exists(pdf_file) then
    			response.mime_type = "application/pdf"
    			?file.to_blob(pdf_file)
    		    else
    			? "No document to display. Please press the Back button."
    	   end if
    	end if
    end if 
    %>
    I should mention I notice a little enhancement that I think went undocumented in the release notes. Now if you create an A5W page and strip out the HTML, the file will always open in Source mode, even if your default editor is WYSIWYG. And, if you try to toggle to WYSIWYG mode, it will warn you that the default HTML will be added back if you do so. That's a great safety feature since otherwise you always forget which file needs to be in source mode vs WYSIWYG.
    Last edited by Steve Wood; 07-30-2007 at 08:11 PM. Reason: the last paragraph
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  20. #20
    Member
    Real Name
    Matthias Dievenkorn
    Join Date
    Jul 2007
    Location
    Hamburg
    Posts
    14

    Default Re: Deny PDF viewing through URL

    Hi @ all,

    unfortunately neither the proposal of Lenny (error code 403) nor another solution is working for me. I'm desparately looking for a solution to post pdf files (account statements) which have to be secured by the security system.
    any help is more than appreciated. at present I'm converting pdf's to jpegs and publish them in a database field. you can imagine how long the upload time is. at least 50 min.
    best regards
    Matthias

  21. #21
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,832

    Default Re: Deny PDF viewing through URL

    What's wrong with my proposal? I am using it right now in a security framework enabled system.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  22. #22
    Member
    Real Name
    Matthias Dievenkorn
    Join Date
    Jul 2007
    Location
    Hamburg
    Posts
    14

    Default Re: Deny PDF viewing through URL

    thanks Steve.
    I'll try it again. perhaps it was me who made an error while inserting it.
    I'll be back it any case.

  23. #23
    Member
    Real Name
    Steve Layton
    Join Date
    Oct 2007
    Posts
    64

    Default Re: Deny PDF viewing through URL

    Steve, again a display of my ignorance, but; if I have a document in my A5Webroot named "Chicago" and it is the pdf file that I want or if I have pdf files in that webroot in a folder named "Document Library", where and how do I plug that information in to this code to retrieve said file? What do I have to do to take advantage of your "session_protected_account" variable?

  24. #24
    Member
    Real Name
    Denis Ahmet
    Join Date
    Jul 2005
    Location
    United Kingdom
    Posts
    988

    Default Re: Deny PDF viewing through URL

    Hi,

    I have used Steve and Lenny's code. Thank you. Now that i have this in place on an A5W page. What do i need to place in the VIEW link in the grid so that the correct document opens based on the selection.

    Doc_Name ------ VIEW

    Thanks

    Denis

Similar Threads

  1. Viewing PDF
    By Kevin G. Timberlake in forum Alpha Five Version 6
    Replies: 2
    Last Post: 08-01-2005, 02:08 PM
  2. Viewing/Printing PDF pages
    By cawalton1 in forum Alpha Five Version 6
    Replies: 0
    Last Post: 05-07-2005, 12:38 AM
  3. Viewing images in alpha4v7
    By Alejandro Marquez in forum Alpha Four Versions 7 and 8
    Replies: 2
    Last Post: 05-01-2003, 01:49 PM
  4. Not all Viewing
    By Keith Hubert in forum Alpha Five Version 5
    Replies: 2
    Last Post: 08-14-2002, 08:35 AM
  5. PDF printer driver creates .pdf output
    By Rich Drabik in forum Alpha Five Version 4
    Replies: 3
    Last Post: 05-10-2001, 02:04 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •