I have application written in GWT and hosted on Google AppEngine/Java. In this application user will have an option to upload video/audio/text file to the server. Those files could be big, up to 1gb or so and because GAE/J does not support large file I have to use another server to store those files. This would be easy to implement if there was no cross-domain security feature in browsers. So, what I'm thinking is to make GAE Server talk to my server (Glassfish or any other java servers if needed) to tell url to the file and if possible send status of uploaded file (how many percent was uploaded) so I can show status on clients screen. Here is what I'm thinking to do.
When user loads GWT page that is stored on GAE/J he/she will upload file to my server, then my server will send response back to GAE and GAE will send response to the client.
If this scenario is possible what would be the best way to implement GAE to Glassfish conversation?
Actually before that maybe you can try using first approach via by-passing cross-domain security of browsers using iframe. There are some ready to use components for this but for your problem which of them can be usable I don't know. Just google for these components...
Doing it the original way you suggested use URL Fetch Service
The down side to doing it the other way is that you introduce dependencies on multiple sites inside your web pages.
The downside of using the URL Fetch Service is that you have to pay by number of bytes transferred after you have reached the free quota.
One option would be to wait - the blobstore limit won't always be 50MB!
If you're in a hurry, though, I would suggest an approach like the following:
Have your App Engine app generate a signed token that signifies the user has permission to upload a file. The token should include the current date and time, the user's user ID, the maximum file size, and any other relevant information, and should be signed using HMAC-SHA1 with a secret key that your App Engine app and your server both know.
Return a form to the user that POSTs to a URL on your blob hosting server, and embeds the token you generated in step 1. If you want progress notifications, you can use a tool like plupload, and serve the form in an IFrame served by your upload server.
When the user uploads the file to your server, the server should return a redirect back to your App Engine app, with a new token embedded in the redirect URL. That token, again signed with a common secret, contains the ID of the newly uploaded file.
When your App Engine app receives a request for the redirect URL, it knows the upload was completed, and can record the new file's ID etc in the datastore.
Alternately, you can use Amazon's S3, which already supports all this with its HTML Form support.
Related
I have been working with Laravel for a little less than a month; so, not aware of all the pre-defined functionality it has to offer. I have a bunch of CSV files in my Laravel application storage and I want to access them from another application (a Java application that processes those CSV files to produce some results).
What would be the best way to go about it?
I have a basic user management system set up and the users fill in an application form (which is where the csv files come from). These files are stored in the Laravel storage.
My current approach without using any built-in authentication (because I am not confident about how to use it in this case) is to have a controller return a downloadable file on a POST request (the file just gets downloaded upon request). The data sent with the POST request is the filename and a password, which if correct, returns the file; otherwise, gives an error. Is this a good way to approach the problem?
I simply want to retrieve the files by making a request from the Java application. Also, some basic protection is required so that everyone cannot access the files by making such requests. Any help or resources would be helpful. Thanks!
Use digitalocean space as additional shared storage between two servers (php and java) then make storage access private using digitalocean dashboard and finally add new website cors on space settings has your java domain and its http verbs (get post delete...). With this configuration you could access your cloud storage between two servers safely using access key and secret key.
I am using Struts 1.x framework in my web application .
When the user hits the application URL... ..intranet link is fetched from the db and it should generate the PDF and send this to the user..
Shall I use response.sendRedirect(intranet link);
Will this work in public server(internet)?
Please help me with this
A browser on the web will in general not be able to fetch something from the intranet.
The expensive alternative is to fetch the files from the intranet by your application, and stream them out.
If the intranet uses a user authentication, browser based, maybe Windows Active Directory (via LDAP), maybe SAML, then it gets even harder.
Pragmatic might be to send an e-Mail with the link, allowing the user to get the document in-house only.
I have a website where users can upload resources (e.g. pdf-files) to their account. I am using AWS S3 to host all the uploaded files, and I am using the AWS Java SDK 1.8.9.1 for communications between my website and S3.
Now, I want to allow users to be able to download and view the files that they have uploaded, but I only want this to be possible through my website. That is, on my web site, users should have a download link for each of their files that they can click, after which the download starts. However, if they copy the URL of the download link and send it to their friend, that friend should not be able to download the file.
I know that it is possible to restrict access to S3 buckets to specified referring URLs. However, I have also been told that this can easily be forged and is not the way to go. I am thinking that there might exist a solution with signed requests.
How can I achieve this?
You could modify your application so that the download links are proxied through it. i.e. The application should do the reverse of the upload process.
So, you can provide a link to your java application, which will then go to S3 and retrieve the file and return it to the user. This way, if someone shares a link, you can protect the url and require users to login before they can download the file.
I am a newbie for this security purpose and php files
I came to know about htaccess when i saw my files and databases are not secure.
I am filling listview in Android application from JsonArray parsing.This JsonArray is coming from Server when a specific URL is clicked on android application
There is a php file on server and there i have echoed the result .
Now the problem is with the data access .When I use that url on PC from browser ,It prints all the data on the browser.
NOw how can I give access to only those user who are using my android application.
I have heard of htaccess file but dont know how to use it and write it
Or is there any other way to secure or get rid of direct accessing from browser
You can use htaccess file but I think there better way.
.htaccess file is fine-tuning ruleset for Apache server. It can reprogram request completely. I use it normally with Static files.
But in your case dynamic php page. Which means you can pass a security session key.
When people login to your app they create session key. SSID This will be alive for some limited amount of time. like 1 hour. And every request required it.
No correct SSID means no data.
(I tried asking this on the GAE forums but didn't get an answer so am trying it here.)
Currently to upload blobs, the app engine's blob store service creates a unique one-
time URL that a user can post blobs to. My requirement is that I only
want authenticated / authorized users to post blobs in my application. I can achieve this currently if the page that includes the multipart form to upload blobs is in my application.
However, I am looking to providing a "REST API" for my users to upload their blobs. While it is true that the one-time nature of the upload URL mitigates the chances of rogue use but it's still possible.
I was wondering if there is anyone on the app engine team here that can consider a feature where developers can register an upload listener. (Or if there is already a way, I'll be all ears). A standard servlet filter could also potentially do the job. This will give us an opportunity to authenticate / validate / decorate requests before the request gets forwarded to the blob store service.
Thanks,
Keyur
Since, as you point out, it's only possible to upload blobs if you have a valid upload URL, you can simply issue valid upload URLs only to authorized users. The only way an unauthorized user could then get an upload URL would be if an authorized user gave it to them, or it was intercepted - and in either case, the same caveat would apply to regular credentials.
In any case, it's still possible to check a user's credentials after the upload, at which point you can immediately delete the blob if you're not satisfied. If it were possible to regularly upload unauthorized blobs, this could lead to a denial of service vulnerability, but due to the restrictions on handing out the encoded URLs I mentioned above, this is only likely to apply if, for example, a user's access was revoked after you generated an upload URL for them.
I'm not sure whether it would work (i.e. GAE might not let you do it), but a servlet filter which wraps the /_ah/upload pattern could first check whether the POST came from same IP address as the authenticated client.
Now, you can upload file with Blobstore API, check out here: http://code.google.com/appengine/docs/java/blobstore/overview.html