Re: Controlling access to pdf/doc files

Hi, 

The actual solution would depend on specific
scenarios: type of architecture, application servers
used etc. And the complexity, granularity of controls
needed. 

In any enterprise application, it is best to have a
set of core services that provide authentication and
authorization mechanisms. Access control to specific
files (could be bank account statements, or even code
pages like .asp or .jsp) needs to be handled through
the authorization module. Every request for a resource
needs to be validated by the authorization module: and
this can be based on the user, or his/her role or some
other attribute.  

One of the drawbacks of the above is that the control
is done through programmatic means. And hence chances
of mistakes from the application administrator and
bugs while coding is high. Some of the application
servers (conforming to J2EE specs, not sure of the
.NET world) do provide authorization mechanisms -
based on roles. You can specify (in a declarative way,
in XML format) the specific resources that are
accessible based on roles. 

-SRP (srp@xxxxxxxx)

__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools