How to protect download link in Java?

Secure URI

Protect download link in Java and securing a URL is a Vital Part of internet based web application. This feature is available with most of the Content Delivery Network(CDN) in the Industry, as well as it costs you some dollar monthly/yearly.

This is a inspiration for me to bring similar functionality at Application Server (any Java/J2EE container will do). I have implemented this in “spring-extensions” library v1.0.1; now you will be having couple of questions in your mind.

What are the capabilities ‘spring-extensions’ have to protect URI/URL?
How secure link concept works in ‘spring-extensions’ library?
Link Algorithm – a secure URI consists of following parts
How to secure/protect file download link in Java/J2EE application?

I will be addressing all your queries below.

Capabilities comes in spring-extensions v1.0.1

Link Securing – it may be file or content of page or download link
Link Expiry Time
Pass Key per Ant-Path style pattern(s) in spring application context

~~Coming up! Country/Region level protection in the secure link (allowed & dis-allowed) in next version!~~

How Secure Link concept works?

URL/URIs are secured from alteration by MD5 digest of the valid URL and validating against the actual URL requested. As a result, if an end-user tries to modify the expiry time or hashing value for the URL/URI the server will reject the request since the MD5 is no longer valid. A Pass Key is used to prevent unauthorized regeneration of the MD5 hash. The pass key known to Application (server-side). Secure URLs are typically generated on the application server that serves the pages with links to the file/content/download.

Secure URL/URIs will be generated by below method which returns signed URL in your Java/J2EE web application, more info refer javadoc–

// Method which generates secured URI/URL

generateSecureUri(String file, long expiryTime, String additionalParams);

// Method which generates secured URI/URL

generateSecureUri(String file, long expiryTime, String additionalParams);

Algorithm: A Secure URI consists

The file to be served – Base URI after host-name & port no e.g. /path-to-content/sample.pdf
An expiry time – Expiry time in milliseconds, this is not optional parameter but can be 0 (Zero) to indicate secure link doesn’t expire (e.g. e=1746574657647)
An additional params – addition URL parameters apart secure link but can be empty string
The MD5 hash that secures the URI (e.g. h=2be2b92d1422c497f863a20651fd66b6)

The expiry time is specified as a standard POSIX timestamp (milliseconds since January 1 1970 00:00:00 UTC). The server compares this timestamp with the current time to validate if the URL/URI has expired.

A MD5 hash is generated for the URI using the following data in API:

MD5 string = “pass key” + file + “?e=” + expiryTime

1	MD5 string = “pass key” + file + “?e=” + expiryTime

How to protect download link in Java / J2EE?

Step 1: Referring spring-extesions library in your application

Mavenized project you can get dependencies information, please have a look here or You can download a spring-extensions library from GitHub and include it in the Build Path

Step 2:

Download secure-uri application context: applicationContext-secure-uri.xml

Downloaded app context will look like this, Spring Bean definition-

<bean id="secureUriFilter">
	<property name="secureUriMapper" ref="secureUriMapper" />
</bean>

<bean id="secureUriProvider">
	<property name="secureUriMapper" ref="secureUriMapper" />
</bean>

<bean id="secureUriMapper">
	<property name="uriMappings">
		<map>
			<entry key="tg54f54h59e"><value>/data/secure/*</value></entry>
			<entry key="34ti94l2qo"><value>/protected/*</value></entry>
		</map>
	</property>
</bean>

</bean>

</bean>

<map>

<entry key="tg54f54h59e"><value>/data/secure/*</value></entry>

<entry key="34ti94l2qo"><value>/protected/*</value></entry>

</map>

</property>

</bean>

Step 3:

Filter definition in the web.xml; secureServerURI is a HTTP filter implementation that being invoked by Spring DelegatingFilterProxy mapped in web.xml

Filter configuration looks like-

<filter>
	<filter-name>secureUriFilter</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
	<filter-name>secureUriFilter</filter-name>
	<url-pattern>/data/secure/*</url-pattern>
</filter-mapping>

<filter-mapping>
	<filter-name>secureUriFilter</filter-name>
	<url-pattern>/protected/*</url-pattern>
</filter-mapping>

<filter-name>secureUriFilter</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>secureUriFilter</filter-name>

<url-pattern>/data/secure/*</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>secureUriFilter</filter-name>

<url-pattern>/protected/*</url-pattern>

</filter-mapping>

Choose required url-pattern in the filter-mapping; you have successfully configured spring-extensions library in your application.

Completion – Your Application URLs are Protected

That’s all application is ready to protect your valuable file download, content of page link or etc., without any additional costs to you and spring-extensions id easy to use in your application.