WebApp Sec mailing list archives
Re: Controlling access to pdf/doc files
From: chasd () silveroaks com
Date: Wed, 25 Feb 2004 08:53:28 -0600
If I may, let me describe how a PDF-based application that we built works.
Question - How can I ensure my application allows only authenticated users access to files like *.pdf or *.doc?
and
Generate the PDF/DOC/whatever on the fly at the time of the request.
In our application, the FDF data is submitted over https to a ASP script that calls up PDF template files that the FDF data is inserted into, twice. One copy is encrypted and sent via e-mail to the home office, the other is fed back down to the client as a stream as others have suggested (over https). The PDF files with the data inserted only exists in memory on the server, and is never written to disk.
The end user's template file has a red warning message that says to save the file from the browser. This message does not print, it is only visible in a viewer. There is a button with a JavaScript action labeled "Save document" that brings up the save dialog. Another button with a JavaScript action goes to the home page URL.
The template for the home office does not have the end user features. We use the PDF encryption for this version. I know that this encryption is not as strong as other methods, but the client was comfortable with the usability trade-off. We use both password fields and use the maximum number of characters.
We like PDF better than MS Word format because the format is openly documented and many tools exists to generate and manipulate documents in that format. Readers for the format are freely available on multiple platforms.
Two issues we have run into are that Windows IE doesn't use the file name provided in the data stream, so we have to instruct users to name the the file correctly when it is saved. Other browsers/platforms do not have this problem and behave correctly. The other issue is that Adobe has not released a Acrobat browser plug-in for OS X. However, Reader version 6.x for OS X can submit form data. Previously only the full version of Acrobat could submit FDF data outside of a browser.
Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265 chasd () silveroaks com
Current thread:
- Controlling access to pdf/doc files Sangita Pakala (Feb 24)
- Re: Controlling access to pdf/doc files Blasted (Feb 24)
- Re: Controlling access to pdf/doc files Suresh Prabhu (Feb 26)
- Re: Controlling access to pdf/doc files chasd (Feb 26)
- Re: Controlling access to pdf/doc files lists AT dawes DOT za DOT net (Feb 26)
- RE: Controlling access to pdf/doc files Paulus Widodo (Feb 26)
- <Possible follow-ups>
- Re: Controlling access to pdf/doc files Jed Holler (Feb 25)
- RE: Controlling access to pdf/doc files Scovetta, Michael V (Feb 25)
- RE: Controlling access to pdf/doc files GRIFFITHS ian (Feb 25)
- RE: Controlling access to pdf/doc files Alistair Meikle (Feb 26)
- Re: Controlling access to pdf/doc files Mark Curphey (Feb 26)
- RE: Controlling access to pdf/doc files Sangita Pakala (Feb 28)
- Re: Controlling access to pdf/doc files David Cameron (Feb 28)
- Re: Controlling access to pdf/doc files (db "better" than filesystem?) David Wall @ Yozons, Inc. (Feb 28)
- RE: Controlling access to pdf/doc files Sangita Pakala (Feb 28)