Force browser to open a file (rather than save/open/cancel)

Discussion in 'Java' started by tiewknvc9, Feb 18, 2007.

  1. tiewknvc9

    tiewknvc9 Guest

    Hi!

    Im using jsp, and tomcat, what I am trying to is have some file
    security.

    The main goal for me is to dissallow users from downloading the setup
    exe directly to their computers, instead I would like to is force them
    to actually open the file (therefore running the setup.exe).

    does anyone have any ideas?
    tiewknvc9, Feb 18, 2007
    #1
    1. Advertising

  2. On Feb 18, 1:26 pm, "tiewknvc9" <> wrote:
    ...
    > Im using jsp, and tomcat, what I am trying to is have some file
    > security.


    Remove all files from the public directories.

    > The main goal for me is to dissallow users from downloading the setup
    > exe directly to their computers, instead I would like to is force


    Forcing the user to do anything, is a
    lost cause.

    >...them
    > to actually open the file (therefore running the setup.exe).
    >
    > does anyone have any ideas?


    Change your strategy.

    Did this have something to do with Java?

    Andrew T.
    Andrew Thompson, Feb 18, 2007
    #2
    1. Advertising

  3. tiewknvc9 wrote:

    > The main goal for me is to dissallow users from downloading the setup
    > exe directly to their computers, instead I would like to is force them
    > to actually open the file (therefore running the setup.exe).
    >
    > does anyone have any ideas?


    Let the users enter their address. You travel to the user, put
    in the CD into the drive and install the stuff you want using
    setup.exe on the CD.


    Regards, Lothar
    --
    Lothar Kimmeringer E-Mail:
    PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

    Always remember: The answer is forty-two, there can only be wrong
    questions!
    Lothar Kimmeringer, Feb 18, 2007
    #3
  4. tiewknvc9

    Alex Hunsley Guest

    tiewknvc9 wrote:
    > Hi!
    >
    > Im using jsp, and tomcat, what I am trying to is have some file
    > security.


    No, what you're trying to do is impinge on the security of other people.

    > The main goal for me is to dissallow users from downloading the setup
    > exe directly to their computers, instead I would like to is force them
    > to actually open the file (therefore running the setup.exe).
    >
    > does anyone have any ideas?


    Get the users to submit their location, go around with the installer on
    CD, run it, then clean their memory, paging file, and any cache
    locations in windows, or they might retrieve the exe.

    This is a really silly request. Why on earth do you want to do this? All
    I can think of is that you're trying to install malware on people's
    computers from a webpage.
    Alex Hunsley, Feb 18, 2007
    #4
  5. tiewknvc9

    Jeff Guest

    On Feb 18, 6:45 am, Alex Hunsley <> wrote:
    > tiewknvc9 wrote:
    > > Hi!

    >
    > > Im using jsp, and tomcat, what I am trying to is have some file
    > > security.

    >
    > No, what you're trying to do is impinge on the security of other people.
    >
    > > The main goal for me is to dissallow users from downloading the setup
    > > exe directly to their computers, instead I would like to is force them
    > > to actually open the file (therefore running the setup.exe).

    >
    > > does anyone have any ideas?

    >
    > Get the users to submit their location, go around with the installer on
    > CD, run it, then clean their memory, paging file, and any cache
    > locations in windows, or they might retrieve the exe.
    >
    > This is a really silly request. Why on earth do you want to do this? All
    > I can think of is that you're trying to install malware on people's
    > computers from a webpage.


    No, actually I think I see what he wants to do. Suppose he has a
    product - an application that he is selling on the web. He wants
    people to be able to pay for that product, then after the transaction
    they are allowed to run the setup program, which installs the program
    on the local computer. What he does not want is for the purchaser to
    get a copy of the setup program that could then be used to install the
    program on multiple computers.

    Not likely to work well with a java based product, as unlike typical
    MSWindows programs Java doesn't usually litter files all over the hard
    drive. But, he is using jsp as the page technology and is interested
    in how to allow a user to run a program from the server without
    downloading it - in effect, like streaming audio rather than allowing
    the user to download the MP3.
    Jeff, Feb 18, 2007
    #5
  6. tiewknvc9

    Lew Guest

    Jeff wrote:
    > No, actually I think I see what he wants to do. Suppose he has a
    > product - an application that he is selling on the web. He wants
    > people to be able to pay for that product, then after the transaction
    > they are allowed to run the setup program, which installs the program
    > on the local computer. What he does not want is for the purchaser to
    > get a copy of the setup program that could then be used to install the
    > program on multiple computers.
    >
    > Not likely to work well with a java based product, as unlike typical
    > MSWindows programs Java doesn't usually litter files all over the hard
    > drive. But, he is using jsp as the page technology and is interested
    > in how to allow a user to run a program from the server without
    > downloading it - in effect, like streaming audio rather than allowing
    > the user to download the MP3.


    This sort of thing is done with JEE all the time - it's called
    "Service-Oriented Architecture" and "portals".

    The degree of difficulty is influenced by one's degree of ownership of the
    services provided. Extremely exogenous processes may require screen scraping,
    or even manual intervention; nepotistic services could share resources directly.

    - Lew
    Lew, Feb 18, 2007
    #6
  7. tiewknvc9

    Alex Hunsley Guest

    Jeff wrote:
    > On Feb 18, 6:45 am, Alex Hunsley <> wrote:
    >> tiewknvc9 wrote:
    >>> Hi!
    >>> Im using jsp, and tomcat, what I am trying to is have some file
    >>> security.

    >> No, what you're trying to do is impinge on the security of other people.
    >>
    >>> The main goal for me is to dissallow users from downloading the setup
    >>> exe directly to their computers, instead I would like to is force them
    >>> to actually open the file (therefore running the setup.exe).
    >>> does anyone have any ideas?

    >> Get the users to submit their location, go around with the installer on
    >> CD, run it, then clean their memory, paging file, and any cache
    >> locations in windows, or they might retrieve the exe.
    >>
    >> This is a really silly request. Why on earth do you want to do this? All
    >> I can think of is that you're trying to install malware on people's
    >> computers from a webpage.

    >
    > No, actually I think I see what he wants to do. Suppose he has a
    > product - an application that he is selling on the web. He wants
    > people to be able to pay for that product, then after the transaction
    > they are allowed to run the setup program, which installs the program
    > on the local computer. What he does not want is for the purchaser to
    > get a copy of the setup program that could then be used to install the
    > program on multiple computers.


    Right, I can imagine him wanting that... I just don't think it's very
    realistic. It reminds me of people asking, "How can I put images on a
    web page but stop people from downloading them?" - ultimately, you
    can't. If you can see it, you've downloaded it in some form. Methods of
    hiding/obfuscating the information exist (e.g. image-viewing flash
    movies that download the info in a non-standard format, descramble it,
    then show it in the browser), and they can work to a certain extent. But
    ultimately, if you put the info out there on a web page, the user can
    get the information.

    A more common way of doing it is the requiring of a license key for the
    software to run... but in the end, same problem: the information is in
    the end-users hands. They can mangle it and prod it and edit it and
    disable protection, etc. Obviously not trivial to do for exes, but
    crackers do that sort of stuff....

    > Not likely to work well with a java based product, as unlike typical
    > MSWindows programs Java doesn't usually litter files all over the hard
    > drive.


    Sorry, not quite sure what you mean there.... What is it that won't work
    well with a Java product?

    > But, he is using jsp as the page technology and is interested
    > in how to allow a user to run a program from the server without
    > downloading it -


    Well, web applications are running on the server side, not the client,
    so that is one solution, but it's not a native .exe, obviously. The user
    just can't run a program on their own computer with downloading it
    somehow, in some form.

    > in effect, like streaming audio rather than allowing
    > the user to download the MP3.


    Streaming audio is in effect actually just downloading an audio file
    (but playing the file as it goes along and not saving it to the local
    disk). There's a stream setup protocol on top (e.g. RTSP for streaming
    video) that to some degree hides where the actual file/data is. But if
    you know the protocols you can usually locate the actual file and
    download it by using wget or curl on the command line, or just pasting
    the actual file's url in your browser, then hitting 'save' if you are
    offered the option.
    Alex Hunsley, Feb 19, 2007
    #7
  8. tiewknvc9

    Jeff Guest

    On Feb 18, 7:06 pm, Alex Hunsley <> wrote:
    > Jeff wrote:
    > > On Feb 18, 6:45 am, Alex Hunsley <> wrote:
    > >> tiewknvc9 wrote:
    > >>> Hi!
    > >>> Im using jsp, and tomcat, what I am trying to is have some file
    > >>> security.
    > >> No, what you're trying to do is impinge on the security of other people.

    >
    > >>> The main goal for me is to dissallow users from downloading the setup
    > >>> exe directly to their computers, instead I would like to is force them
    > >>> to actually open the file (therefore running the setup.exe).
    > >>> does anyone have any ideas?
    > >> Get the users to submit their location, go around with the installer on
    > >> CD, run it, then clean their memory, paging file, and any cache
    > >> locations in windows, or they might retrieve the exe.

    >
    > >> This is a really silly request. Why on earth do you want to do this? All
    > >> I can think of is that you're trying to install malware on people's
    > >> computers from a webpage.

    >
    > > No, actually I think I see what he wants to do. Suppose he has a
    > > product - an application that he is selling on the web. He wants
    > > people to be able to pay for that product, then after the transaction
    > > they are allowed to run the setup program, which installs the program
    > > on the local computer. What he does not want is for the purchaser to
    > > get a copy of the setup program that could then be used to install the
    > > program on multiple computers.

    >
    > Right, I can imagine him wanting that... I just don't think it's very
    > realistic. It reminds me of people asking, "How can I put images on a
    > web page but stop people from downloading them?" - ultimately, you
    > can't. If you can see it, you've downloaded it in some form. Methods of
    > hiding/obfuscating the information exist (e.g. image-viewing flash
    > movies that download the info in a non-standard format, descramble it,
    > then show it in the browser), and they can work to a certain extent. But
    > ultimately, if you put the info out there on a web page, the user can
    > get the information.
    >
    > A more common way of doing it is the requiring of a license key for the
    > software to run... but in the end, same problem: the information is in
    > the end-users hands. They can mangle it and prod it and edit it and
    > disable protection, etc. Obviously not trivial to do for exes, but
    > crackers do that sort of stuff....
    >
    > > Not likely to work well with a java based product, as unlike typical
    > > MSWindows programs Java doesn't usually litter files all over the hard
    > > drive.

    >
    > Sorry, not quite sure what you mean there.... What is it that won't work
    > well with a Java product?
    >
    > > But, he is using jsp as the page technology and is interested
    > > in how to allow a user to run a program from the server without
    > > downloading it -

    >
    > Well, web applications are running on the server side, not the client,
    > so that is one solution, but it's not a native .exe, obviously. The user
    > just can't run a program on their own computer with downloading it
    > somehow, in some form.
    >
    > > in effect, like streaming audio rather than allowing
    > > the user to download the MP3.

    >
    > Streaming audio is in effect actually just downloading an audio file
    > (but playing the file as it goes along and not saving it to the local
    > disk). There's a stream setup protocol on top (e.g. RTSP for streaming
    > video) that to some degree hides where the actual file/data is. But if
    > you know the protocols you can usually locate the actual file and
    > download it by using wget or curl on the command line, or just pasting
    > the actual file's url in your browser, then hitting 'save' if you are
    > offered the option.



    When I said it may not work for java apps, what I was referring to is
    that Windows apps tend to get littered around the hard drive, with
    parts in system directories as well as the application directory, and
    entries in the registry to put it all together. It is therefore hard
    to just zip up a directory and send it to a friend so they can use the
    program to.

    Java is much better behaved, but that also means that it is easier to
    zip up a directory and send it to a friend and have the application
    work on their system. So, a protection scheme that depends on one
    time use of an installer is not as likely to work. Once the installer
    sets up the application directory and places the files, that directory
    can be zipped and sent to a friend.

    So, AT's suggestion to change the approach seems best.
    Jeff, Feb 19, 2007
    #8
  9. tiewknvc9

    Alex Hunsley Guest

    Jeff wrote:

    > When I said it may not work for java apps, what I was referring to is
    > that Windows apps tend to get littered around the hard drive, with
    > parts in system directories as well as the application directory, and
    > entries in the registry to put it all together. It is therefore hard
    > to just zip up a directory and send it to a friend so they can use the
    > program to.
    >
    > Java is much better behaved, but that also means that it is easier to
    > zip up a directory and send it to a friend and have the application
    > work on their system. So, a protection scheme that depends on one
    > time use of an installer is not as likely to work. Once the installer
    > sets up the application directory and places the files, that directory
    > can be zipped and sent to a friend.
    >
    > So, AT's suggestion to change the approach seems best.


    Ah I see, thanks for clarifying. Yup, change of approach seems good.
    lex

    >
    Alex Hunsley, Feb 19, 2007
    #9
  10. "tiewknvc9" <> writes:

    > The main goal for me is to dissallow users from downloading the setup
    > exe directly to their computers, instead I would like to is force them
    > to actually open the file (therefore running the setup.exe).


    .... and when they run it, where do you think they run it FROM? Look up
    "Temporary Internet Files".
    Tor Iver Wilhelmsen, Feb 19, 2007
    #10
  11. tiewknvc9 schrieb:
    > Hi!
    >
    > Im using jsp, and tomcat, what I am trying to is have some file
    > security.
    >
    > The main goal for me is to dissallow users from downloading the setup
    > exe directly to their computers, instead I would like to is force them
    > to actually open the file (therefore running the setup.exe).


    Simple answer: you can't.

    The browser sends an HTTP request to your web-server which in turn
    answers with an HTTP response. This response contains (aside other
    information like status and headers) your setup.exe. Even if there were
    headers which describe your concern, they only can ask the client to do
    what you like...

    IOW: A browser may not consider your request to open the file.

    Bye
    Michael
    Michael Rauscher, Feb 19, 2007
    #11
  12. Michael Rauscher wrote:
    > IOW: A browser may not consider your request to open the file.


    Hmm, I think it should be 'might not' instead of 'may not'...

    Bye
    Michael
    Michael Rauscher, Feb 19, 2007
    #12
  13. tiewknvc9

    Chris Uppal Guest

    Michael Rauscher wrote:
    > Michael Rauscher wrote:
    > > IOW: A browser may not consider your request to open the file.

    >
    > Hmm, I think it should be 'might not' instead of 'may not'...


    ;-)


    Hopefully the browser /would/ not -- if a website can force a browser to run a
    program without the user having the chance to save it to a safe location for
    virus-checking (etc) then that browser is /badly/ broken...

    -- chris
    Chris Uppal, Feb 19, 2007
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tma

    Force download rather than view

    tma, Aug 7, 2004, in forum: ASP .Net
    Replies:
    7
    Views:
    805
    =?Utf-8?B?SmVyZW15IERhdmlz?=
    Aug 8, 2004
  2. Iain
    Replies:
    1
    Views:
    410
    Alexey Smirnov
    Apr 9, 2007
  3. eddie wang
    Replies:
    0
    Views:
    389
    eddie wang
    Oct 3, 2003
  4. Richard Hollenbeck

    prompting to "save as" rather than opening images

    Richard Hollenbeck, Jan 12, 2004, in forum: Javascript
    Replies:
    5
    Views:
    109
  5. joltman
    Replies:
    2
    Views:
    93
Loading...

Share This Page