Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Deny PDF viewing through URL

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Deny PDF viewing through URL

    I'm trying to restrict PDF access to only logged in users that have group permission to the link field in a component I setup. I have the Security Framework enabled on the Application Server, and security group settings set on my component, but can't seem to open any PDF through the component. I get a 403 error message saying "Your security credentials do not allow access to this resource."

    I found that I could open PDF files by always allowing the file type (*.pdf) via Page Security Assignment. The problem with this is that it's always allowed, so a person could easily open a PDF through the URL without logging in.

    How do I restrict the PDF viewing to only logged in users that belong to a particular group through component I created.

    BTW, these are PDFs that are already generated, meaning they aren't created on the fly from Alpha 5. Rather these PDFs were generated through another application, and transferred to the Application Server for viewing through A5W pages.

    Any help will be great.

    Thanks

    #2
    Re: Deny PDF viewing through URL

    David,

    A nice way to implemment this would be with security assignments to folders and files the same way unix does. I don't think the WAS security system includes this.

    You can encrypt the pdf file and require a login password to view the file. You could also hide the URL through the use of a flash button and javascript to launch a window with limited controls.
    Bob Moore


    Comment


      #3
      Re: Deny PDF viewing through URL

      I have WAS installed on a Windows machine, but I am familiar with UNIX permissions. What's the Windows security group that needs access to the folder that contains the PDFs, and do I only give read only permission? But, if a user that doesn't belong to the Alpha security group to open PDF files, could they view it by typing in the URL after logging in? If this can't be done, I think Alpha Software should develop this as how would people comply with confidentiality of data and files because unauthorized users can view data that they shouldn't be viewing?

      I'm still afraid that someone could accidentally find the PDF, even though I had a flash button or js script to limit what the user can see in the new window.

      Thanks.

      Comment


        #4
        Re: Deny PDF viewing through URL

        Its very common on websites to have a link that says "Click here to download this document" and when you click it, you get a new page that says "OK, click here to view that document you expected to see".

        So, don't provide a link that directly opens the PDF. Instead provide a link to a new A5W page and on that page provide a link to the PDF (probably served up by a grid component). Difference? You can control who gets to that 2nd page via Group Security or other measures. Using a calculated field you can also toggle that link field to either be a static text value of "SORRY YOU DON'T HAVE ACCESS" (or not appear at all) or a valid hyperlink to the 2nd page.

        You can also store the PDFs outside of your document root and then use xbasic to copy that PDF from its outside location to a location within the virtual root (so your user can get to it with their browser) and only then will the link to the PDF work. When you copy it, also create a new folder to put it in. You've seen those 128bit obscure folder names when you use sophisticated web applications. Later you can delete that whole folder. They can't guess the URL in that case.
        Steve Wood
        See my profile on IADN

        Comment


          #5
          Re: Deny PDF viewing through URL

          Thanks Steve for replying. Let me give some background info, we are trying to create a secure statement presentment online for our customers, thus reason for confidentiality. We cannot afford to have a hacker figure out how to get access to the folder that contains the PDFs.

          Everything is still in a test phase on our internal WAS test server, which we have a PDF folder that the A5W pages can access PDF files. We have dummy PDFs to simulate viewing PDF files. In terms of security, should the PDF files be on a separate WAS server? If so, how would the A5W pages pull the PDF files over for viewing?

          I'm still thinking that the folder that contains the PDFs still needs to be accessed by the WAS server, so potentially could be found through the URL if File Access for *.pdf is always allowed, correct? If I disable the file access to *.pdf, even if I put the PDF into a component, the page would error out, correct?

          BTW, how do you get a PDF to appear in a component?

          Thanks

          Comment


            #6
            Re: Deny PDF viewing through URL

            I thought I answered all that. If the PDF is anywhere under the document root, someone can 'guess' the URL. If you follow my method, you make it temporarily available under the root, but store it outside, so no one can access other than during that brief period of time.

            Another option is to use obsecurity; make either the PDF name or a subfolder so complex, no one can guess it.

            You 'put a PDF in a component' by creating a link field with the full HTTP:\\ path to the PDF file.
            Steve Wood
            See my profile on IADN

            Comment


              #7
              Re: Deny PDF viewing through URL

              You can also store the PDFs outside of your document root and then use xbasic to copy that PDF from its outside location to a location within the virtual root (so your user can get to it with their browser) and only then will the link to the PDF work. When you copy it, also create a new folder to put it in. You've seen those 128bit obscure folder names when you use sophisticated web applications. Later you can delete that whole folder.
              Hi Steve,
              I never really caught on to what you said about copying and deleting the PDF, until now (newbie moment - :)). What would be the code I would use to create a temporary folder, copy the selected PDF from the root folder to that temp folder, and when they close out the browser delete both the temporary folder and PDF.

              Thanks,
              -David

              Comment


                #8
                Re: Deny PDF viewing through URL

                David,
                I also deliver PDF reports to my custmers over the web, but I do it a little differently. The data for the PDF is in a DBF record. My customer needs choose a record through a grid component.
                The grid has a link to aw5 page.
                "Print_Man.a5w?Sample_No={Sample_No}"

                The link has the following code:
                Code:
                if Eval_Valid("Sample_No")
                   dim filter as c
                   dim order as c
                   filter = "Sample_No = " + Quote(Sample_No)
                   Order = ""
                   Dim filename as c 
                   filename = session.session_folder + chr(92) + "Man_results.pdf"
                   filename = report.saveas("Manure_Auto_Print@[PathAlias.ADB_Path]\Manure_data.dbf","pdf",filter,order,filename,.f.)
                   if file.exists(filename)  
                      response.redirect(session.session_url + "Man_Results.pdf?" + time("hms3"))
                   end if
                   end 
                else 
                %>
                end if
                %>
                This way I creat the PDF's on the fly using a report format. I do not have to store, move or call them on the server. I make them as they are needed and they are destroyed when the session is over.
                I control which customers see which records with filters on the grid so no one can see anothers data, and without a secure login no one gets near the data page.

                I hope this helps.
                Jesse
                Last edited by AaronBBrown; 07-31-2007, 04:13 PM.

                Comment


                  #9
                  Re: Deny PDF viewing through URL

                  Hi Jesse,
                  That's great, and I'll keep that in mind. Similar to what you have, I have links to my PDFs in a grid, but the PDFs that I have are not reports, so they can't be generated on the fly. I've created the PDFs before hand, and I only want certain users to see it, thus requiring them to login. The bad thing is that, if I want the users to see it I have to Always Allow the PDF extension, which allows users to get to the PDFs without logging in. It's too bad that Alpha 5 doesn't have extensions or maybe folders that require users to login before viewing them, instead of an all or nothing deal.

                  Anyway, to work around this, I thought Steve's idea was pretty good. Would you know the code to copy PDFs from a restricted folder to the site folder (maybe in a randomly generated folder name), serve it to the person requesting it, and delete it when they close it?

                  Thanks,
                  -David

                  Comment


                    #10
                    Re: Deny PDF viewing through URL

                    There's no need to copy things around and you do not need to configure your security to always allow or deny PDF files.

                    Store your PDF files in a directory outside of your web root, so they are never directly accessible. Then use an A5W page to provide access to them. You can either set security on that A5W page as desired, or you can use some Xbasic in it to allow or deny access based on the user and/or requested PDF.

                    An example of the A5W page would be:

                    Code:
                    <%a5
                    dim pdf as c
                    dim pdf_folder as c = "c:\my_pdf_library\\"
                    dim pdf_file as c
                    
                    if PDF = "" then
                        ? "Please specify a PDF file to view"
                    else
                        pdf_file = pdf_folder + pdf
                        if file.exists(pdf_file) then
                            Response.body = file.to_blob(pdf_file)
                            Response.mime_type = "application/pdf"
                        else
                            ? "Sorry, that PDF does not exist"
                        end if
                    end if
                    %>
                    With this file, you would then create a link such as http://yourserver/pdfviewer.a5w?pdf=foo.pdf The security framework would then allow or deny the request based on your settings. If allowed, it would look for c:\my_pdf_library\foo.pdf and display it in the browser if it exists on the server. To access notfoo.pdf, you would change the URL to http://yourserver/pdfviewer.a5w?pdf=notfoo.pdf

                    With this setup, the security setting for .PDF files does not matter because you are not accessing a .PDF file with the browser. Rather you are accessing an A5W page, which can have any security setting you'd like, and it is returning PDF content. The browser itself does not care that you requested something.a5w instead of something.pdf, it looks at the MIME type (which the example set to "application/pdf") and handles this as it does any other PDF content.

                    Lenny Forziati
                    Vice President, Internet Products and Technical Services
                    Alpha Software Corporation

                    Comment


                      #11
                      Re: Deny PDF viewing through URL

                      Also, if you still want to copy files to a temporary location for web access, use the session folder. It is unique to the session, cannot be accessed by a different user, and is automatically cleaned up for you. Look up session.session_folder and session.session_url if you want to go this route.

                      Lenny Forziati
                      Vice President, Internet Products and Technical Services
                      Alpha Software Corporation

                      Comment


                        #12
                        Re: Deny PDF viewing through URL

                        All right!!! Thanks Lenny.

                        Both solutions sound like they would work for me. I'll give them a try. If I come across any problems, I'll repost.

                        Thanks again,
                        -David

                        Comment


                          #13
                          Re: Deny PDF viewing through URL

                          <%a5
                          dim pdf as c
                          dim pdf_folder as c = "C:\PDFs\\"
                          dim pdf_file as c
                          if eval_valid("request.variables.pdf") = .T. then
                          pdf = request.variables.pdf
                          else
                          pdf = ""
                          end if

                          if pdf = "" then
                          ? "<font color=\"red\" size=\"3\">Please specify a PDF file to view</font>"
                          else
                          pdf_file = pdf_folder+""+pdf
                          if file.exists(pdf_file) then
                          Response.body=file.to_blob(pdf_file)
                          Response.mime_type="application/pdf"
                          else
                          ? "<font color=\"red\" size=\"3\">Sorry, that PDF does not exist</font>"
                          ? "<br>Filename and path: "+pdf_file
                          end if
                          end if
                          %>
                          Hi Lenny,
                          I tried the blob method and the PDF didn't show up. I just showed a blank screen. I've also read in the Alpha manual that file.to_blob() is only for 8-bit BMP and JPG files. Could that be the reason why it's not working? Also, I could find anyting on Response.body and Response.mime_type Response System variables. Do these variables exist?

                          I prefer to do it this way instead of copying files, but if copying files is the only way then I'll try it that way.

                          Thanks,
                          -David

                          Comment


                            #14
                            Re: Deny PDF viewing through URL

                            Can anyone help me with this?

                            Thanks,
                            -David

                            Comment


                              #15
                              Re: Deny PDF viewing through URL

                              David,

                              I came around to this, needed it in an application. I also did not get Lenny's code to work, just produced a blank screen. But the code below did work, except it offers up a dialog to Save or Open the PDF, which is an added step if you just want to open it. But it works.

                              The Response.Add_Header... section came from another forum post: http://msgboard.alphasoftware.com/al...ad.php?t=66265

                              What's good about this code is that no one can guess the URL to bring up some other client's document. The variable named "pdf" comes from the link on a grid and contains a partial filename, the __protected__ session variable is then embedded as part of the document name, making it impossible to type a URL that will pull up a document (technically, the user can guess another one of their documemts, but not concerned about that.)

                              Code:
                              dim pdf as c
                              dim pdf_folder as c = "[PathAlias.DOC_Path]\\" 
                              dim pdf_file as c
                              if eval_valid("session.__protected__acct")
                              if PDF = "" then
                                  ? "No document to display. Please close this window."
                              else
                                  pdf_file = pdf_folder + session.__protected__acct + pdf
                                  if file.exists(pdf_file) then
                                  	?"<BR>Exists<BR>"
                              		RESPONSE.ADD_HEADER("Content-Length: " + FILE_GET_SIZE(pdf_file))
                              		RESPONSE.ADD_HEADER("Pragma: no-cache")
                              		RESPONSE.ADD_HEADER("Expires: 0")
                              		response.mime_type = "application/octet-stream"
                              		RESPONSE.ADD_HEADER("Content-Type: application/octet-stream")
                              		RESPONSE.ADD_HEADER("Content-Disposition: attachment; filename=" + session.__protected__acct + pdf)
                              		RESPONSE.ADD_HEADER("Content-Transfer-Encoding: binary")
                              
                              '    	Response.mime_type = "application/x-pdf"
                              		?file.to_blob(pdf_file)
                              	    else
                              		? "No document to display. Please close this window."
                                 end if
                              end if
                              end if
                              Steve Wood
                              See my profile on IADN

                              Comment

                              Working...
                              X