Hyland Connect

txue · ‎12-15-2010

Dear Sir/Madam,

I have a question regarding AWPR My Space panel folder content download security. I appreciate in advance.
After I successfully integrated AWPr into jboss portal, and I logged into Jboss portal, I clicked on AWPr portlet tab, I can get my workspace subfolder and all contents. If the content is not text-based file, when I click on it, the download file panel will pop up you can save the file into your local. If the file is texted based file, when I click on it, I can see a new browser window open and I can read the file. The url is similar like:

http://hostname/alfresco/d/d/workspace/SpacesStore/1fb020f7-ba90-48d6-84be-64ce4a9ecfdf/web.xml

I copy this url and try to open from another computer browser I can also view this file, no matter user is logged or not logged.

I just wondered that the file is not safe enough with url only defining the file location ids. Is there other way to protect it?

Thanks.

Tina

rivetlogic · ‎12-25-2010

Hi,

AWPr My Spaces is a modified version of Alfresco's OOTB (out of the box) My Spaces Web script which makes AJAX calls directly to Alfresco and therefore the URLs are as you say not safe (that is most probably due to the fact that you have a cookie in your browser for accessing Alfresco URLs directly, so it's really not that unsafe.

The better way to craft download URLs though is using JSR 286 resource URLs. If you notice the What's New example Web script we provide with the AWPr release show cases just that. Regular Alfresco download URLs are proxied to resource URLs, therefore if you copy the URL and try to access it separately (and provided the JBoss portal page exposing this URL is password protected) then the user will be prompted for an authentication.

In either case it's not really a security hole but I do personally dislike exposing the Alfresco ticket to the browser as is the case with AWPr My Spaces.

Hope this helps,

–Alaaeldin

Hyland Connect

AWPR download file security