JWT Authentication Tutorial: Example Using Spring Boot

Like @awzurn already explained, in the absence cookies one would need to to pass token through the URL (Signed URL).

Ideally, that token would contain only permission to download that specific file for certain period of time. That said, one additional filter would have to be implemented to look for token in the URL.

I believe that Amazon S3 is doing the same with signing URL requests for file download (http://docs.aws.amazon.com/AmazonCloudFront/latest/Developer... and http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentic...)

topaxi9y ago

If you don't mind downloading the whole file into the browsers memory this should do:

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequ... https://developer.mozilla.org/en-US/docs/Web/API/URL/createO...

And then programmatically click the object URL.

ben_jones9y ago

Random idea: inject invisible img element and return the src in the Ajax element. Then grab the downloaded image directly from the div?

revicon9y ago

That sounds like you leak JWTs into your log files

JWT Authentication Tutorial: Example Using Spring Boot (opens in new tab)

JWT Authentication Tutorial: Example Using Spring Boot (opens in new tab)

6 comments

6 comments