Re: Controlling access to pdf/doc files

If I may, let me describe how a PDF-based application that we built 
works.

> Question - How can I ensure my application allows only authenticated
> users access to files like *.pdf or *.doc?

and

> Generate the PDF/DOC/whatever on the fly at the time of the request.

In our application, the FDF data is submitted over https to a ASP 
script that calls up PDF template files that the FDF data is inserted 
into, twice. One copy is encrypted and sent via e-mail to the home 
office, the other is fed back down to the client as a stream as others 
have suggested (over https). The PDF files with the data inserted only 
exists in memory on the server, and is never written to disk.

The end user's template file has a red warning message that says to 
save the file from the browser. This message does not print, it is only 
visible in a viewer. There is a button with a JavaScript action labeled 
"Save document" that brings up the save dialog. Another button with a 
JavaScript action goes to the home page URL.

The template for the home office does not have the end user features. 
We use the PDF encryption for this version. I know that this encryption 
is not as strong as other methods, but the client was comfortable with 
the usability trade-off. We use both password fields and use the 
maximum number of characters.

We like PDF better than MS Word format because the format is openly 
documented and many tools exists to generate and manipulate documents 
in that format. Readers for the format are freely available on multiple 
platforms.

Two issues we have run into are that Windows IE doesn't use the file 
name provided in the data stream, so we have to instruct users to name 
the the file correctly when it is saved. Other browsers/platforms do 
not have this problem and behave correctly. The other issue is that 
Adobe has not released a Acrobat browser plug-in for OS X. However, 
Reader version 6.x for OS X can submit form data. Previously only the 
full version of Acrobat could submit FDF data outside of a browser.


Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline  IL  61265
chasd@xxxxxxxxxxxxxx