How to protect download link in Java?

protect download link in Java

Secure URI

Protect download link in Java and securing a URL is a Vital Part of internet based web application. This feature is available with most of the Content Delivery Network(CDN) in the Industry, as well as it costs you some dollar monthly/yearly.

This is a inspiration for me to bring similar functionality at Application Server (any Java/J2EE container will do). I have implemented this in “spring-extensions” library v1.0.1; now you will be having couple of questions in your mind.

    • What are the capabilities ‘spring-extensions’ have to protect URI/URL?
    • How secure link concept works in ‘spring-extensions’ library?
    • Link Algorithm – a secure URI consists of following parts
    • How to secure/protect file download link in Java/J2EE application?

I will be addressing all your queries below.

Capabilities comes in spring-extensions v1.0.1

  • Link Securing – it may be file or content of page or download link
  • Link Expiry Time
  • Pass Key per Ant-Path style pattern(s) in spring application context

Coming up! Country/Region level protection in the secure link (allowed & dis-allowed) in next version!

How Secure Link concept works?

URL/URIs are secured from alteration by MD5 digest of the valid URL and validating against the actual URL requested.  As a result, if an end-user tries to modify the expiry time or hashing value for the URL/URI the server will reject the request since the MD5 is no longer valid.  A Pass Key is used to prevent unauthorized regeneration of the MD5 hash. The pass key known to Application (server-side). Secure URLs are typically generated on the application server that serves the pages with links to the file/content/download.

Secure URL/URIs will be generated by below method which returns signed URL in your Java/J2EE web  application, more info refer javadoc

Algorithm: A Secure URI consists

  • The file  to be served – Base URI after host-name & port no e.g. /path-to-content/sample.pdf
  • An expiry time   Expiry time in milliseconds, this is not optional parameter but can be 0 (Zero) to indicate secure link doesn’t expire (e.g. e=1746574657647)
  • An additional params – addition URL parameters apart secure link but can be empty string
  • The MD5 hash that secures the URI (e.g. h=2be2b92d1422c497f863a20651fd66b6)

The expiry time is specified as a standard POSIX timestamp (milliseconds since January 1 1970 00:00:00 UTC).  The server compares this timestamp with the current time to validate if the URL/URI has expired.

A MD5 hash is generated for the URI using the following data in API:

How to protect download link in Java / J2EE?

Step 1:  Referring spring-extesions library in your application

Mavenized project you can get dependencies information, please have a look here  or  You can download a spring-extensions library from GitHub and include it in the Build Path

Step 2: 

Download secure-uri application context: applicationContext-secure-uri.xml

Downloaded app context will look like this, Spring Bean definition-

Step 3:

Filter definition in the web.xml; secureServerURI is a HTTP filter implementation that being invoked by Spring DelegatingFilterProxy mapped in web.xml

Filter configuration looks like-

Choose required url-pattern in the filter-mapping; you have successfully configured spring-extensions library in your application.

Completion – Your Application URLs are Protected

That’s all application is ready to protect your valuable file download, content of page link or etc., without any additional costs to you and spring-extensions id easy to use in your application.