Protecting download asset

This message was edited 1 time. Last update was at 27/01/2011 15:34:05

Hi list !

I've come across a tricky problem on protecting download asset. By default, URL for digital assets are composed with the file system tree structure (working/digitalAssets/0/foobar.txt) which is OK if the content isn't protected.
If you protect the content on which digital asset is attached, protection won't be checked, which is not good anymore =/

URL are built for 2 purposes :
- links build with digital asset url taglib (content:assetUrl) which use the template controller's getAssetUrl method
- links within rich text (FCK editor content) which use the template controller's getInlineAssetUrl method

Both of these methods use ContentDeliveryController.getContentDeliveryController().getAssetUrl which is good news =) This method takes the deliveryContext in parameter. This is where things become interesting : useDownloadAction. This is the attribute needed to be set to use an action URL instead a file system based URL.

You can set it for the whole page like this :
That is something you can do on your base template into the preTemplate part.

You can set it with the taglib like this :
You have to set it everywhere you need the action URL because the default value is set to false !
That's not cool ='( I think it would be better to have the delivery context parameter unchanged if the parameter isn't set.

So to summarise, if you want to protect your digital asset with the rights set in the CMS, do both of these :
- set the delivery context parameter useDownloadAction to true
- set the useDownloadAction parameter for the taglib assetUrl each time it's needed.

Now we have an action URL (/working/DownloadProtectedAsset.action?MY_PARAMETER=..
If the content isn't protected, all works well.
If not, nothing is accessible, the only thing we've got is a 302 http code (Moved temporarily) in return =/
As I was not authenticated and the content was protected, I was expecting a 401 return code (Unauthorized).
Even if I authenticate, same return code =/

In DownloadAssetAction, there is a special treatment for application which aren't cms (so we're speaking of delivers). Digital asets information are retrieve with ContentDeliveryController.getContentDeliveryController().getDigitalAssetId which take the infoglue principal in parameter.
Infoglue principal is retrieve using this : sessionDelegate.get(IG_PRINCIPAL) with INFOGLUE_FILTER_USER = "org.infoglue.cms.security.user";
It's OK for the CMS, but not for the deliver. For the deliver, you need to do this : sessionDelegate.get("infogluePrincipal");
We cant' change the value of INFOGLUE_FILTER_USER, it's a final attribute.

The only thing I can see to solve this issue is to override DownloadAssetAction to manage my own accessor to the principal. That means I have to overload getAssetInformation method and as it is a private method, I also have to override the doExecute method.
Into the action, we can retrieve the principal with : getHttpSession().getAttribute("infogluePrincipal");

Hi Astik,

Which version do you use ? I'm on a 2.9.7 and i have the kind of problem you mention.

For what i've seen, infoGluePrincipal is retrieved differently since 2.9.8 in DownloadAssetAction.

By the way, all the downloaded protected assets have the same name. Returning the name of the protected asset could be really interesting

The problem was encountered on 2.9.7.1 Final (2009-05-10) which is the latest official version.
I haven't check the latest action, I waiting for the next stable version.
Speaking of the devil, does anybody has any news about the future of Infoglue ? There wasn't any news since december's meeting =/

I where at the developer meeting last fall. They said at the time that they where about 80% done with version 3.0 but the founder Mattias Bogeblad was going to be home with his child during a longer stretch and was not going to be able to do much on infoglue. However we got the period first quarter of 2010 as release date. That period now over and last time i heard anything was that they where going to go over a list of bugs before the release. I dont know how long that will take but we also asked that this forum could at least be linked from the homepage. We have understood that in order to finance this project they cant give out free help(understandable) and one of their developer agreed with our request to get the forum link from their hompage just like the majority of software products have.

Back to the release date i wish i knew more than its on its final stage of what we have heard and that i kinda hope it will come out before the summer since things have a tendency to halt during that time. A funny note is that during a short period of time during a normal svn update at least me and my fellow developer here at the university got the 3.0 version. There are prob some demo sites up if you ask infoglue.

It will be very easy to spot if you got the 3.0 version of IG since the design have changed alot from 2.9.x.x . You can also see small hints what it will contain since there are some scraps in the current version with CK files and form creator.

This message was edited 1 time. Last update was at 27/01/2011 15:31:03

I have tested version 3 a while ago, indeed there are some big changes. But when I tested it, all wasn't working well. I'm really pleased to hear that the next version is coming soon.

We have understood that in order to finance this project they cant give out free help(understandable) and one of their developer agreed with our request to get the forum link from their hompage just like the majority of software products have.

This part makes me tinkle, maybe I don't have understood Infoglue management =/
As IG's community is quite closed, no one, outside the project, can officially help or know where the project's going. It's pretty uncool as the developer's team seems quite little.
When you say it's understandable, i disagree on this point. To finance an open source project, you need a community or sponsor. As it is really difficult to join the team (I know, I have offered my services a few times), the only thing left is a sponsor, I guess this is modul1.se or each team member's business.
So, to make my point clear, I think team member should talk more on this forum to answer the user, the communication between user/developer and the team's member should be clearer.

My position might sound harsh, but it's the only way to make the project growing. Lots of my customers are wondering about IG's community, sadly I have nothing to answer to them =/

astik wrote:The problem was encountered on 2.9.7.1 Final (2009-05-10) which is the latest official version.

Actually, if you go via the official site you end up at http://sourceforge.net/projects/infoglue/files/ where the latest stable version is 2.9.9.2 Final.

This message was edited 1 time. Last update was at 17/05/2010 14:44:03

astik wrote:I have tested version 3 a while ago, indeed there are some big changes. But when I tested it, all wasn't working well. I'm really pleased to hear that the next version is coming soon.

We have understood that in order to finance this project they cant give out free help(understandable) and one of their developer agreed with our request to get the forum link from their hompage just like the majority of software products have.

This part makes me tinkle, maybe I don't have understood Infoglue management =/
As IG's community is quite closed, no one, outside the project, can officially help or know where the project's going. It's pretty uncool as the developer's team seems quite little.
When you say it's understandable, i disagree on this point. To finance an open source project, you need a community or sponsor. As it is really difficult to join the team (I know, I have offered my services a few times), the only thing left is a sponsor, I guess this is modul1.se or each team member's business.
So, to make my point clear, I think team member should talk more on this forum to answer the user, the communication between user/developer and the team's member should be clearer.

My position might sound harsh, but it's the only way to make the project growing. Lots of my customers are wondering about IG's community, sadly I have nothing to answer to them =/

I agree with your opinions, personally. But when i got it explained to me i guess i understood what situation they where currently in. In any case, i also think that it is pretty essential to have a strong community if IG is going to grow.
I think that modul1 employees have started contributing to this community recently so i guess we could state our wishes in the core developer thread.

This message was edited 1 time. Last update was at 27/01/2011 15:31:14

the latest stable version is 2.9.9.2 Final

Sweet, I missed this news, I'll check it out as soon as possible =)

i guess we could state our wishes in the core developer thread

You're absolutely right, maybe we can use this part of the forum to organize work around IG better than what we did with MSN conference =D