I am developing a website(an educational system) in JSP, which has a different users with different accessibility and priority(including teachers, students, managers,…)
Now I want to add some files (e.g. some pdfs) to this website, that only a group of users(e.g. teachers) can download them after logged in to the system. now my Question is how can I prevent others from downloading them by directly typing the file addresses in address bar? In other words I don’t want the users to have access to these files directly by typing URLs
thanks in advance
You can’t prevent people from downloading a file by entering its URI. That is simply how the web works. (If you don’t want something to be downloaded by anybody, don’t put it somewhere that will give it a URI).
However, it sounds like your problem is “Preventing people who are not authorised to download a file from downloading a file”, which is a completely different problem.
There are two basic approaches to solving this type of problem.
Only make the files available through a script
First, don’t keep the file under the webroot. Then write a script that:
Configure your web server to perform auth/authz
The specifics of this will depend on the web server software you use. I’ve no idea if there are any methods to tell any server that supports JSP to perform auth/authz using whatever Java login system you are using, but I have done it using Apache/mod_perl in the past.