General discussion

Locked

Secure document delivery over the Intern

By shmaltz ·
Im trying to set up a web site that will provide document delivery for our clients (the company is mainly doing legal work for their clients and most of the work involves doucments).
The documents will be in PDF format (their acrobat reader will open on their desktop so they can read it) and I'm trying to set security on the files.
The way it works is that each user that wants to view a document has to logon to our system we use a sql database to validate the user. Once the user is validated we give them a list of the documents they can view (thru asp pages).
Now here is my problem each document/file may be for more then one client, but if you are not one of the clients that need access to it, you should be denied access to it.
Now I know I can create a user name in my NT domain for each client that needs access and then assign file permissions, but I do not want to do it as this will make it almost impossible to keep track of everything going on.
What I'm trying to do is setup ageneral user account that I'll give permission to access all the PDF documents and when ever a user gets validated over the internet (thru our sql server) I'll provide the documents for them (with the general user account thru code), but I dont wantthe internet user to see the path of where the documets are located (I want to place the documents on a regular WINNT share not a WWW share), all they should see is a asp page and acrobat should open.
Is this possible?
And if yes how? and where can I get more info on that?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Secure document delivery over the Intern

by shmaltz In reply to Secure document delivery ...

We are using Win2K server SP1, IIS 5.0, SQL 7.0,

Collapse -

Secure document delivery over the Intern

by SteveD In reply to Secure document delivery ...

I'm not at all sure, since I've never done anything like this, but for what it's worth here's how I would approach this:

1) Use some tool to have a look at what the headers are like when you receive the results of a direct HTTP request for some PDF file. Some tools that might help are Telnet, AspHttp, InetCtl.

2) To display a PDF in your ASP, first generate the appropriate headers, then just read the PDF using a FileSystem object (in chunks would probably be the best way) and use Response.Write to send out the content.

I know it's sketchy, but I hope this helps.

Steve Diamond

Collapse -

Secure document delivery over the Intern

by shmaltz In reply to Secure document delivery ...

Poster rated this answer

Collapse -

Secure document delivery over the Intern

by Barry Hensley In reply to Secure document delivery ...

Our development team just did something very similar to this. I'll give you a high level overview of how we handled it.

1. You will need to have a piece of middleware running on your web server that sits between the user and the requested data. This middleware application could be written in C, VB, Java, or whatever you choose.

2. The function of the middleware is to broker requests to your data source (SQL server, a WINNT Share, etc). The middleware also establishes sessions with the user, caching the user name and password so that entitlement is maintained.

3. When a user logs on, they will pass a username and password to the middleware application. The application will then generate HTML code, based on the username, and send it back to the user's browser. This code might contain a list of resources to which the user has access, etc.

4. When a user makes a request for a document, the URL calls the application with an arguement for the document (doc name, ID, or some other arguement that the application understands). Only the application knows how to retrieve the document from the SQL server or NT share.

5. Permissions are maintained in either SQL server or some other table that the application uses to know that the user has permission to obtain the document.

6. The application accesses either SQL or the NT share using a generic login that you have created just for this application to use. NT file system permissions don't become a part of the process except to validate the ID of the application, not the user.

7. Make sure to write your app so that each request is validated against a permissions table in SQL. Otherwise, a savvy user could fake a URL and guess the doc ID of a document for which they do not have permission.

Collapse -

Secure document delivery over the Intern

by shmaltz In reply to Secure document delivery ...

Poster rated this answer

Collapse -

Secure document delivery over the Intern

by shmaltz In reply to Secure document delivery ...

This question was closed by the author

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums