Solved

Need to stream a hidden PDF to a new window via IntraWeb/Javascript

Posted on 2004-10-29
2,365 Views
Last Modified: 2008-01-09
From a web app (written in Delphi 7.1 w/IntraWeb 7.2), I need to be able to open a PDF in a new window while providing no means of accessing the PDF except via the app (i.e., web user can't just plug in a url and go directly to the file).

Currently, I'm simply opening a new window with the desired PDF.  This has a multitude of flaws:

1. It displays the url to the PDF in the new window, and even disabling the address/toolbars & redirecting things through a static html page to tidy up the title bar provides no defense against a simple Ctrl-N, which puts things back to square one.

2. The PDF url shows up in the browser history.

3. After clicking the button that opens the new window with the PDF, if you view the source on the app window, you can locate the Javascript call that opened the new window, and of course it shows the url parameter it's sending.

After viewing PAQ Q_20138297, it looks like the best solution is to use streams.  Alas, said PAQ was in the ASP section, and I confess to having -zero- knowledge in that arena and very little knowledge of Javascript, so I'm unsure of how to code this.

What I *REALLY* am hoping I can do is to store the PDF files somewhere on the server that my app can see but the outside world cannot (is this possible?), and then when a PDF is requested, have my app stream it to a new window, hopefully closing the gaping security holes noted above.

This is a very urgent matter and the complete solution is well worth 500 points, in my estimation.  I suspect the first (and hardest) step will be to code the solution in Javascript, but ultimately I need a Delphi/Intraweb-coded solution.
0
Question by:cherrylan
    16 Comments
     
    LVL 31

    Expert Comment

    by:seanpowell
    Hi,

    I'm afraid I don't use Delphi/Intraweb, so I can't be of any help there. I can show you how to password protect an area of the site and then stream the pdf's with asp, but I'm not sure if that's going to get you where you need to go.

    Perhaps in combination with the experts at http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/

    Have you explored that area of EE to see if there was any response?

    Sean

    0
     

    Author Comment

    by:cherrylan
    Hi Sean,

    I wasn't sure if my question was more appropriate for this area or the Delphi area and since it's my understanding that questions are not to be double-posted, I picked this topic area.  (EE newbie, first question!)

    Regarding Intraweb, although the documentation is unfortunately quite sketchy, there *is* a way to embed Javascript, which is in fact how I'm currently opening PDFs in a new window, which is why I thought this would be the way to go in terms of crafting a solution.

    As for asp, I'm always willing to try learning, but I'll ask for your patience in advance if I ask a lot of silly questions, though - my expertise is in standalone apps, NOT web development.  Intraweb provided a handy wrapper to migrate my application to the web and has performed admirably, but the nature of the web has presented me with this unexpected security problem.  Let me clarify the current situation a bit: My app gets compiled as a dll and runs on Windows 2003 servers at my customers' sites.  All of my current customers use IIS; most do not have IT departments, so I can't use a solution that would require IT monitoring/intervention.

    George
    0
     
    LVL 11

    Expert Comment

    by:huntersvcs
    Why don't you just download the pdf instead of opening it locally?  That way - no link!  Sorry, but I just got here.  I have a website that also opens pdf's statically (address is seen) but I believe you can change the link from open to download.
    0
     
    LVL 10

    Expert Comment

    by:frugle
    There is no feasible way of using a browser to give anyone any type of file without giving away the location of the file that is being delivered. This is a security feature - it's just how the web works.

    The only solution I can see is to embed a pdf viewer within your application and disable the properties dialogues.

    Mike
    0
     

    Author Comment

    by:cherrylan
    To huntersvcs:

    I've already tried sending the pdf file instead of opening it in a new browser window.  You're correct in that that eliminates the link since it opend directly in Acrobat instead of a browser, but (at least when I tried doing) it has the undesirable side effect of prompting the end-user to open the document, which could get ugly, particularly in a batch-open mode.  My app tended to freeze up when I tried that tack - probably a bug on my end but because of the prompting issue I began exploring other possible solutions.  If there's a way to send the file w/o forcing the end user to confirm, this might be okay, but I'm thinking that the pdf would still have to be sent as a stream rather than as a file, else the user can simply click the send button and then view source on the app to see where the file was pulled from.  I could of course copy the original to a temp location and then send *that* file, but I'd prefer to avoid the use of temp files if I can.

    To frugle:

    In PAQ Q_20138297, it sounds like a solution was arrived at by using streams and ASP - unfortunately I don't know the first thing about ASP, but this solution evidently took care of the url issue, both in the browser and the browser's history.  The pdf can't be opened in the app window, since the end user needs to be able to open an arbitrary number of files at once, which of course requires that they open in their own windows.

    --

    Certainly, it would be possible to create a temp copy of the original pdf and send that, but it just seems that streams would be a lot cleaner, and wouldn't require a secondary app to monitor & clean up temp files.

    --

    To seanpowell:

    I'm definitely interested in seeing what you had in mind for a solution.  It might be a bear to get things in such a form that I can code & compile them on this end, but hey - one step at a time.

    George
    0
     
    LVL 49

    Expert Comment

    by:Roonaan
    0
     
    LVL 11

    Accepted Solution

    by:
    This site offers different methods of hiding scripts.  I didn't want to just copy the code - there may be other things you can use from them as well!

    http://www.siteexperts.com/tips/hideit/theCode.asp

    Hope this helps.
    Rick
    0
     

    Author Comment

    by:cherrylan
    To Roonaan & huntersvcs:

    Remember guys, I'm a pro standalone app guy but an absolute neophyte in the web scripting world - I hate to admit it, but at present I don't even know what asp *is*, exactly, let alone understand how to use it or know what if any tools I need in order to employ it.  At present, my app is 100% compiled Delphi code (runs as a dll on the server) with a single embedded Javascript command which opens a new window with the desired pdf:

      AddToInitProc('NewWindow("' + UserSession.RootUrl + UserSession.PDFUrl + '","","")');

    Although my web development tools are unfortunately not well-documented, it seems it is possible to define and embed custom Javascript routines in the code, but if the solution involves asp, I'm afraid I'll need the "long winded" version.

    As far as hiding my code is concerned, the only thing I *really* care about hiding is the pdf url, and I *think* that streaming the pdf instead of passing the url should take care of it.  I'll keep experimenting on this end...

    George
    0
     

    Author Comment

    by:cherrylan
    To all:

    Alas, the approaching deadline for my project is forcing me to choose a practical solution over an elegant one for the time being.  I'll simply copy the pdfs to a temp directory and open new windows with urls to the temp files, then run a sweeper program 1/day to clean out the temp directory.  I'm convinced there's a much cleaner way of doing this, and if anyone can figure out how, I'm all ears - but for the time being I'll just code what I consider a "down and dirty" solution.

    I'm still interested in solving the problem via Intraweb w/o temp files, though....

    George
    0
     
    LVL 2

    Expert Comment

    by:MatrixDweller
    I don't know how to do it in Delphi but in C++ I would read the PDF into the server's memory and then send the file via a http stream to the client. The same way you would output HTML that's stored in a string to the client except you would need to set the header approriatly so the client's browser knows it's a PDF and not HTML. In ISAPI you can specify all that stuff in the HTTPContext. I'm sure Delphi has similar mechanisms.

    If the PDF is generated by Crystal Reports you can send the file via a stream to begin with, which doesn't save a file to disk.
    0
     

    Author Comment

    by:cherrylan
    In recent days I was finally able to correspond with one of the developers of the IntraWeb tools, and he basically stated that there's no way to accomplish what I wanted to do, since a new window MUST have a URL to load content from.

    However, I think I *have* come up with a solution that will work, which is to log the PDF request in a database and then open a new window which loads a second program, passing log file index data unrelated to the PDF file name as parameters, and have the second program do nothing more than verify the log entry, retrieve and stream the PDF in its own window, and then delete or flag the log entry.

    If I'm thinking about this correctly, that should completely solve the issues as I presented them initially:
     - the PDFs can reside in "safe storage" - either a non-public directory or as records in a database
     - although the program is broken into two dlls, data can be streamed by the second program since it has its own window
     - this eliminates the need for any temp files or sweeper processes
     - an end user cannot simply pass parameters to the second dll and retrieve PDFs directly, because it can't locate a PDF unless it
       the first process has posted a log entry matching the parameters sent, and the log entry is deleted or invalidated as soon as the
       PDF is retrieved.

    As things stand, I've long since coded up a solution using temp files, but when time permits I intend to try my idea out - just looking at the logic, I think at this point it'll prove pretty easy to code.
    0
     
    LVL 2

    Assisted Solution

    by:MatrixDweller
    I have read in TIFF, JPG and other image and file formats that reside on a different server, outside of web services reach, with ISAPI and outputted the binary data to the clients browser in a new window ( setting the header accordingly ). It actually speeds up the process huge because you eliminate more than half of the disk access that is normally used.

    read file->copy file to new location->iis reads file->iis sends file->delete file
    becomes
    read file->iis sends file via your app

    It's actually pretty easy to do and I'm sure any web programming language accomodates it.

    Of course the new window would be a location to my isapi dll but coded properly the link that launches the window would include some sort of validation key. That validation key could reside in a flat file/db ( delete it when the pdf is outputted ) or could be generated from the time and expire within a set amount of time ( ~5 minutes ).
    0
     
    LVL 11

    Expert Comment

    by:huntersvcs
    Split ?
    0
     
    LVL 2

    Expert Comment

    by:MatrixDweller
    I'd go for the split
    0
     
    LVL 11

    Expert Comment

    by:huntersvcs
    Agree.
    0
     
    LVL 11

    Expert Comment

    by:huntersvcs
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Are you into PHP development and curious how you can make your life easier when publishing your website? Do you sometimes worry you might forget to remove debug lines? Or you spend unnecessary time to double check you haven't accidentally uploaded '…
    Problem to be resolved in this article Currently, development of website and web application can be done without writing thousands of lines of programming code by hand. Description This can be done through by using a open source framework such …
    This video teaches users how to migrate an existing Wordpress website to a new domain.
    The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now