Okay I have a folder say… http://oldserver.net/file/index.jar
How would I be able to protect the file “index.jar” from being downloaded from regular web browsers?
I’ve seen this done before, I just want to protect it from being accessed from web browsers, and keep it strictly java download access only.
What I mean by java download access only is, I could simply use a java downloader to download index.jar. But I can’t download it via web browser.
How would I protect the file “index.jar” ?
Thanks:)
You need to think about what this requirement means specifically – from the point of view of your server, how can it tell whether an incoming request is a “java download” or not?
In short, I don’t think there’s a way to do exactly what you’re after. The classic way to secure resources would be by requiring authentication (i.e. you need a valid username and password to get the index.jar file) but it doesn’t sound like that’s what you want here.
Bear in mind that Java simply sends HTTP requests (or other protocols that it knows how to speak) down a connection. Any other program could send identical requests, so there’s quite simply no way to enforce this limit in the way that you’ve specified.
One approach that might simulate what you’re after is to not have the index.jar accessible via HTTP, so browsers wouldn’t be able to get at it by default, and then access it via another protocol in Java (e.g. FTP, SFTP, whatever). Though as mentioned above, any tool that can speak this new protocol would be able to download the file.
Another approach would be to look for Java-specific headers, such as the User-Agent field (assuming this is populated with something recognisable). But again – this is not secure, as any tool could send through the same headers and impersonate a java download.
If you mean in your question that you only want your files to be downloaded by a specific Java application, then things get a bit more feasible. You can distribute an application that contains some authentication (e.g. public/private key pair) and have the server challenge for this when
index.jaris requested. But even then this is dubious – by definition the Java app has to contain sufficient information to authenticate as itself; and by definition you have to distribute this information publically; so it wouldn’t be difficult to extract the private keys and have some other application masquerade as your Java one.Basically, I can’t see any way around this issue given the confines you’ve stated. If there’s a narrower scope you’d be willing to entertain you may be able to come up with a viable compromise, but right now the answer is simply “no”.