How can the WebViewer securely obtain the XOD password used in decryption?

374 views
Skip to first unread message

Kevin Kuo

unread,
Mar 11, 2013, 6:14:14 PM3/11/13
to pdfnet-w...@googlegroups.com
Q: In the WebViewer sample for encryption, a dialog prompts users to enter the document password.
How I can securely get this password from my server?

A: You can do this by making an AJAX request to your own server, through HTTPS.
Below is a modified config.js from the encryption sample.
The AJAX request is completely under your control, so you can implement your own server authentication for added security.


e.g.
//Override the LoadDocument function for decryption
ReaderControl.prototype.LoadDocument = function(doc, streaming) {
    console.log("loadDocument encrypt override");
    
    var me = this;
    
    var decryptDocument = function(password) {
        try {
            var decrypt = window.CoreControls.Encryption.Decrypt;
            
            var partRetriever = new window.CoreControls.PartRetrievers.HttpPartRetriever(doc, true, decrypt, {
                password: password, 
                type: 'aes',
                error: function(error) {
                    alert(error);
                }
            });

        } catch(err) {
            console.error(err);
        }
        
        me.docViewer.LoadAsync(partRetriever);
    };

//Make a secure HTTPS request to your server to fetch the XOD password
$.ajax({
type: "POST",
data: {username: "...", password: "..."} //you can do your own user authentication here
}).done(function(data){
var password = data;
decryptDocument(password);
}).fail(function(jqXHR, textStatus){
//failed to fetch XOD password
});
};

Aaron

unread,
Nov 8, 2016, 4:28:56 PM11/8/16
to PDFTron WebViewer
You can enable the same functionality within PDF WebViewer / PDFNetJS.


There is a getPassword(callback) function on ReaderControl that can be overloaded to do whatever you want. For example:

readerControl.getPassword = function(callback) {
callback("DavidIsThePass");
}

You should be able to change this in the config file.

This is the exact statement since it needs to be called on viewerLoaded event:
$(document).on('viewerLoaded', function() {
  readerControl.getPassword = function(callback) {
    callback('enter password here');
  };
});









 


 
Reply all
Reply to author
Forward
0 new messages