Securing downloaded files

When downloading files in the Web UI Framework, to authenticate and authorize the file download request, an API and API input has to be passed along with the file download input. The API will be called with the API input passed. If the API is successful, the file specified in the file download input will be downloaded.

The API which has to be called for file download authorization has to be registered with the class PLTFileDownloadAPIRegistry using the method API(String appCode, String appName). The client request should provide the API name and input. The following is an example of the API input (for the getUserList API):

<User UserKey="">
  <FileAttachments> 
    <FileAttachment FileName=""/> 
  </FileAttachments>
</User>

As part of the API invocation, authorization and other security tasks are handled by API security, token validation, and other tasks. This API is invoked to check if the API succeeds. If it does, then the user is authorized to download files. Then the file for which FileAttachmentKey is provided in the file download input XML file will be downloaded.

The API template is provided inside the template/filedownloadapi folder in the resources.jar file. This is the template for the API which has to be called for authorization. It should be as small as possible, for example:

<User UserKey="">
  <FileAttachments> 
    <FileAttachment FileName="" FileAttachmentKey=""/> 
  </FileAttachments>
</User>

Authorization for the file download servlet (PLTFileDownloadServlet) is configured via web.xml. The context parameter is sc-file-download-authorization-required. By default, this property value is TRUE.

For download, APIName,APIInputXML, and FileDownloadInputXML are all required and have to be passed from the client. If the web.xml entry sc-file-download-authorization-required is set to FALSE, then the FileAttachmentKey in FileDownloadInputXML is used to fetch the file. If sc-file-download-authorization-required is set to TRUE, then the API passed by the client is called with the API input passed. The template for this API call is described earlier in this topic. If the API call succeeds, then the file is downloaded.

The user invoking the servlet should have permission for the API. On the successful completion of this API, the file data is decompressed, decoded, and the client is served with the file it requested for download.