Hi All,
I have two questions regarding ACS url which are as below.
Once we have generated the ACS url for a specific document and launch it either it the browser or through program, does it validate the user permissions on launch of the url? Why I ask this question is, I assume that user's read permission is validated when we try to retrieve the ACS url. Once the url is generated, I guess, it doesn't validate the user permission on launch of the url. Why I ask this question, we would like to avoid a use case where ACS url is generated by a user who has access rights and then it is shared with some one else who is not authorized to see the document.
Is there a way to ensure that ACS url could be used only once and it expires or becomes unusable after its first usage?
Thanks in advance!
If there are Accepted Answers, those will be shown by default. You can switch to 'All Replies' by selecting the tab below.
1> When you access the ACS url, it will still check the permissions for the user. 2> The ACS url is active for 360 minutes by default. This value can be controlled with the flag: repository.validation.delta in acs.properties file. Hope this helps:)
@Hari_Gadhamsetty said: 1> When you access the ACS url, it will still check the permissions for the user.
How would ACS do that? It doesn't know who the user is since ACS doesn't authenticate requests. Anyone can use the URL to access the document as long as it hasn't expired.
Do you understand the purpose of ACS - is purely for performance reasons? What you are describing in #2 is not a "cache" use case. What client are you using? If you are using custom app, you can control access to the content via your app.
@DCTM_Guru said: Do you understand the purpose of ACS - is purely for performance reasons? What you are describing in #2 is not a "cache" use case. What client are you using? If you are using custom app, you can control access to the content via your app.
I don't think that this was the purpose of Pavan's question. The background of this question is probably that someone could hijack ACS URLs and use them to get access to unauthorized documents. It's a legitimate concern and it's a shame that ACS is not more secure. If you mention this to OpenText, they will tell you to turn off ACS (as with any problem with ACS).
"If you mention this to OpenText, they will tell you to turn off ACS (as with any problem with ACS)."
One more thing to add to Pavan's question, on a past project, we actually created a servlet (similar to ACS) that would serve document only once via token from our custom app.
