0

Background: I am creating a file server. I am using Tomcat behind Nginx reverse proxy. I have a main server which host the UI and lots of edge servers where I hope to store user uploaded files and serve them back. It's a private file storage so only the file uploader should be able to download their uploaded files.

Problem: I authenticate users on the main server when they login to their account by creating a session and keep it to validate further requests from users (regular stuff). This information is not propergated to edge servers, edge servers serve files to any request. That's not what I want. I want to authorize downloads only to file owner.

Now, here I am trying to avoid Tomcat clustering where edges and main servers configure as a cluster that has sessions distributed. Site is SSL supported. Is there a way to validate a user's login status when a file download request reach an edge server from a user who is already logged in(created a session) the main server?

printfmyname
  • 983
  • 15
  • 30
  • where does your trust boundary lie? Can your request from main to edge simply contain the userId and edge can verify it before serving the file back or return 401 Unauthorized when the given user is not allowed? Or do you have to make user files as safe as possible even against people with access to the servers (admins, operators, employees, etc) ? – diginoise Mar 10 '17 at 12:23
  • Something in between. userId is too weak as some one can guess it. Disallowing admin access to file would require encrypting the whole file using a key known only to file owner and decrypt it on the clients browser. What I want it prevent some one (other than the owner) from downloading it over the internet using a direct like to the file. – printfmyname Mar 10 '17 at 13:53
  • 1
    You need to make edge servers security transaction aware somehow... A cookie with the session expiry time encrypted with main server's private key; edge servers would then decrypt the cookie using main's public key. – diginoise Mar 10 '17 at 15:59

1 Answers1

1

I see several approaches you could use

You can use a form of "claim based authentication" or resource access token.

Claim based authentication - you could use e.g. a JWT token, which should contain some necessary information (user id, account id, authorization, expiration, ..) and is signed by a shared secret (between the main server and file servers) or by a private key from the main server.

Advantage is, that the edge server can validate the token based on the hash or signature without contacting the main server. Disadvantage is, that there must be logic to decide whether the user has access to the requested resource.

see: https://jwt.io/

Resource access token - this approach that is used some cloud storage providers (AWS S3, IBM Object Storage, ...) - the main site will return a resource URL with some extra parameters - e.g. account, nonce, expiration, signature. The resource (edge) server must check the expiration and signature and provide or deny the resource

Advantage is, that the edge server doesn't care about any authentication and the authentication and authorization is completely in scope of the main server. Disadvantage is, that the provided resource URL must have limited expiration time.

see: http://s3-expiry.50projects.com/

Note:

  • placing the condition that the resource server may not communicate with the main server effectively you're unable to check if the user is logged in, except using SAML SSO with SLO (single logout) or OIDC with session management
HoldOffHunger
  • 18,769
  • 10
  • 104
  • 133
gusto2
  • 11,210
  • 2
  • 17
  • 36
  • JWT look promissing and has a java library as well. Thanks I can build a schema upon your answer and @diginoise to authenticate a user at edge servers. I'll keep this thread open for few more days just to see if someone post a better solution.. thanks Gabriel – printfmyname Mar 11 '17 at 00:55