Force browser to open a file (rather than save/open/cancel)

[tiewknvc9]

Hi!

Im using jsp, and tomcat, what I am trying to is have some file
security.

The main goal for me is to dissallow users from downloading the setup
exe directly to their computers, instead I would like to is force them
to actually open the file (therefore running the setup.exe).

does anyone have any ideas?

 

[Andrew Thompson]

Im using jsp, and tomcat, what I am trying to is have some file
security.

Remove all files from the public directories.

The main goal for me is to dissallow users from downloading the setup
exe directly to their computers, instead I would like to is force

Forcing the user to do anything, is a
lost cause.

...them
to actually open the file (therefore running the setup.exe).

does anyone have any ideas?

Change your strategy.

Did this have something to do with Java?

Andrew T.

 

[Lothar Kimmeringer]

The main goal for me is to dissallow users from downloading the setup
exe directly to their computers, instead I would like to is force them
to actually open the file (therefore running the setup.exe).

does anyone have any ideas?

Let the users enter their address. You travel to the user, put
in the CD into the drive and install the stuff you want using
setup.exe on the CD.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[Alex Hunsley]

Hi!

Im using jsp, and tomcat, what I am trying to is have some file
security.

No, what you're trying to do is impinge on the security of other people.

The main goal for me is to dissallow users from downloading the setup
exe directly to their computers, instead I would like to is force them
to actually open the file (therefore running the setup.exe).

does anyone have any ideas?

Get the users to submit their location, go around with the installer on
CD, run it, then clean their memory, paging file, and any cache
locations in windows, or they might retrieve the exe.

This is a really silly request. Why on earth do you want to do this? All
I can think of is that you're trying to install malware on people's
computers from a webpage.

 

[Jeff]

No, what you're trying to do is impinge on the security of other people.



Get the users to submit their location, go around with the installer on
CD, run it, then clean their memory, paging file, and any cache
locations in windows, or they might retrieve the exe.

This is a really silly request. Why on earth do you want to do this? All
I can think of is that you're trying to install malware on people's
computers from a webpage.

No, actually I think I see what he wants to do. Suppose he has a
product - an application that he is selling on the web. He wants
people to be able to pay for that product, then after the transaction
they are allowed to run the setup program, which installs the program
on the local computer. What he does not want is for the purchaser to
get a copy of the setup program that could then be used to install the
program on multiple computers.

Not likely to work well with a java based product, as unlike typical
MSWindows programs Java doesn't usually litter files all over the hard
drive. But, he is using jsp as the page technology and is interested
in how to allow a user to run a program from the server without
downloading it - in effect, like streaming audio rather than allowing
the user to download the MP3.

 

[Lew]

No, actually I think I see what he wants to do. Suppose he has a
product - an application that he is selling on the web. He wants
people to be able to pay for that product, then after the transaction
they are allowed to run the setup program, which installs the program
on the local computer. What he does not want is for the purchaser to
get a copy of the setup program that could then be used to install the
program on multiple computers.

Not likely to work well with a java based product, as unlike typical
MSWindows programs Java doesn't usually litter files all over the hard
drive. But, he is using jsp as the page technology and is interested
in how to allow a user to run a program from the server without
downloading it - in effect, like streaming audio rather than allowing
the user to download the MP3.

This sort of thing is done with JEE all the time - it's called
"Service-Oriented Architecture" and "portals".

The degree of difficulty is influenced by one's degree of ownership of the
services provided. Extremely exogenous processes may require screen scraping,
or even manual intervention; nepotistic services could share resources directly.

- Lew

 

[Alex Hunsley]

No, actually I think I see what he wants to do. Suppose he has a
product - an application that he is selling on the web. He wants
people to be able to pay for that product, then after the transaction
they are allowed to run the setup program, which installs the program
on the local computer. What he does not want is for the purchaser to
get a copy of the setup program that could then be used to install the
program on multiple computers.

Right, I can imagine him wanting that... I just don't think it's very
realistic. It reminds me of people asking, "How can I put images on a
web page but stop people from downloading them?" - ultimately, you
can't. If you can see it, you've downloaded it in some form. Methods of
hiding/obfuscating the information exist (e.g. image-viewing flash
movies that download the info in a non-standard format, descramble it,
then show it in the browser), and they can work to a certain extent. But
ultimately, if you put the info out there on a web page, the user can
get the information.

A more common way of doing it is the requiring of a license key for the
software to run... but in the end, same problem: the information is in
the end-users hands. They can mangle it and prod it and edit it and
disable protection, etc. Obviously not trivial to do for exes, but
crackers do that sort of stuff....

Not likely to work well with a java based product, as unlike typical
MSWindows programs Java doesn't usually litter files all over the hard
drive.

Sorry, not quite sure what you mean there.... What is it that won't work
well with a Java product?

But, he is using jsp as the page technology and is interested
in how to allow a user to run a program from the server without
downloading it -

Well, web applications are running on the server side, not the client,
so that is one solution, but it's not a native .exe, obviously. The user
just can't run a program on their own computer with downloading it
somehow, in some form.

in effect, like streaming audio rather than allowing
the user to download the MP3.

Streaming audio is in effect actually just downloading an audio file
(but playing the file as it goes along and not saving it to the local
disk). There's a stream setup protocol on top (e.g. RTSP for streaming
video) that to some degree hides where the actual file/data is. But if
you know the protocols you can usually locate the actual file and
download it by using wget or curl on the command line, or just pasting
the actual file's url in your browser, then hitting 'save' if you are
offered the option.

 

[Jeff]

Right, I can imagine him wanting that... I just don't think it's very
realistic. It reminds me of people asking, "How can I put images on a
web page but stop people from downloading them?" - ultimately, you
can't. If you can see it, you've downloaded it in some form. Methods of
hiding/obfuscating the information exist (e.g. image-viewing flash
movies that download the info in a non-standard format, descramble it,
then show it in the browser), and they can work to a certain extent. But
ultimately, if you put the info out there on a web page, the user can
get the information.

A more common way of doing it is the requiring of a license key for the
software to run... but in the end, same problem: the information is in
the end-users hands. They can mangle it and prod it and edit it and
disable protection, etc. Obviously not trivial to do for exes, but
crackers do that sort of stuff....


Sorry, not quite sure what you mean there.... What is it that won't work
well with a Java product?


Well, web applications are running on the server side, not the client,
so that is one solution, but it's not a native .exe, obviously. The user
just can't run a program on their own computer with downloading it
somehow, in some form.


Streaming audio is in effect actually just downloading an audio file
(but playing the file as it goes along and not saving it to the local
disk). There's a stream setup protocol on top (e.g. RTSP for streaming
video) that to some degree hides where the actual file/data is. But if
you know the protocols you can usually locate the actual file and
download it by using wget or curl on the command line, or just pasting
the actual file's url in your browser, then hitting 'save' if you are
offered the option.

When I said it may not work for java apps, what I was referring to is
that Windows apps tend to get littered around the hard drive, with
parts in system directories as well as the application directory, and
entries in the registry to put it all together. It is therefore hard
to just zip up a directory and send it to a friend so they can use the
program to.

Java is much better behaved, but that also means that it is easier to
zip up a directory and send it to a friend and have the application
work on their system. So, a protection scheme that depends on one
time use of an installer is not as likely to work. Once the installer
sets up the application directory and places the files, that directory
can be zipped and sent to a friend.

So, AT's suggestion to change the approach seems best.

 

[Alex Hunsley]

When I said it may not work for java apps, what I was referring to is
that Windows apps tend to get littered around the hard drive, with
parts in system directories as well as the application directory, and
entries in the registry to put it all together. It is therefore hard
to just zip up a directory and send it to a friend so they can use the
program to.

Java is much better behaved, but that also means that it is easier to
zip up a directory and send it to a friend and have the application
work on their system. So, a protection scheme that depends on one
time use of an installer is not as likely to work. Once the installer
sets up the application directory and places the files, that directory
can be zipped and sent to a friend.

So, AT's suggestion to change the approach seems best.

Ah I see, thanks for clarifying. Yup, change of approach seems good.
lex

 

[Tor Iver Wilhelmsen]

The main goal for me is to dissallow users from downloading the setup
exe directly to their computers, instead I would like to is force them
to actually open the file (therefore running the setup.exe).

.... and when they run it, where do you think they run it FROM? Look up
"Temporary Internet Files".

 

[Michael Rauscher]

Hi!

Im using jsp, and tomcat, what I am trying to is have some file
security.

The main goal for me is to dissallow users from downloading the setup
exe directly to their computers, instead I would like to is force them
to actually open the file (therefore running the setup.exe).

Simple answer: you can't.

The browser sends an HTTP request to your web-server which in turn
answers with an HTTP response. This response contains (aside other
information like status and headers) your setup.exe. Even if there were
headers which describe your concern, they only can ask the client to do
what you like...

IOW: A browser may not consider your request to open the file.

Bye
Michael

 

[Michael Rauscher]

IOW: A browser may not consider your request to open the file.

Hmm, I think it should be 'might not' instead of 'may not'...

Bye
Michael

 

[Chris Uppal]

Hmm, I think it should be 'might not' instead of 'may not'...

;-)


Hopefully the browser /would/ not -- if a website can force a browser to run a
program without the user having the chance to save it to a safe location for
virus-checking (etc) then that browser is /badly/ broken...

-- chris