Welcome to another installment in my series covering changes to PDF management in ColdFusion 8. If you haven't read the earlier stories, please see the links below in the Related Entries section. Todays entry is about security. This will just be a high level overview of what you can do. Check the documents for more specific information.
At a basic level, there are three basic things we can do with CFPDF:
- Set a password for opening the PDF
- Set restrictions on the document
- Set the encryption style for the document
All of these feature uses the Protect value for the action attribute of cfpdf. Let's start with the first one. Now you have always been able to set a password for a PDF when using cfdocument. But if you want to add a password to a document than you would need to use cfpdf. Here is a very simple example:
<cfdocument format="pdf" name="mydoc">
<h2>Wit and Wisdom of Paris Hilton</h2>
<p>
This space left intentionally blank.
</p>
</cfdocument>
<cfpdf action="protect" source="mydoc" newUserPassword="password" destination="test.pdf" overwrite="true">
Remember what I said above - you can set a password directly in the cfdocument tag. I'm just using this so folks can cut and paste directly into their editor. So as you can see - I create a simple PDF with cfdocument. Next I use cfpdf with the protection action. I specified a password and a destination to save the file. If I try to open this PDF I'll get prompted to enter a password.
Next lets look at a simple permissions example. Let's say we want to make a PDF, but we don't want people to copy from the document or print it. (And let's pretend we don't know what a screen capture program is.) All I have to do is specify an owner password and a set of permissions. The owner password allows an owner to modify the security of the PDF and the permissions detail what is allowed. Unfortunately you cannot specify what isn't allowed, you can only specify what is allowed. So in order to block printing and copying, I have to pass everything else.
<cfdocument format="pdf" name="mydoc">
<h2>Wit and Wisdom of Paris Hilton</h2>
<p>
This space left intentionally blank.
</p>
</cfdocument>
<cfpdf action="protect" source="mydoc" newOwnerPassword="opassword" destination="test2.pdf" overwrite="true"
permissions="AllowAssembly,AllowFillIn,AllowModifyAnnotations,AllowModifyContents,AllowScreenReaders,AllowSecure"
>
The permissions I left out were: AllowCopy,AllowDegradedPrinting,AllowPrinting. If I open this PDF and try to copy text, I'll get a warning beep. The print option is grayed out.
Now for the final example. When you secure PDF documents, ColdFusion will encrypt them using RC4 128-bit encryption. Frankly that could have been BattleStar Galatica encryption as I know next to nothing about the various types of encryption. But if you are concerned about the level of encryption, you can specify it using the encrypt attribute. Valid values are: AES_128, RC4_128M, RC4_128, RC4_40, and None.
What are some practical examples of this feature? Well obviously it is a good way to secure normally open PDF documents. You can image your source PDFs being 100% open, and then creating secured PDFs for download. Something else you could do is modify the encryption level if your web site user is outside the US. (Again, I know next to nothing about encryption, but I seem to remember that some levels of protection can't be exported. So you could have a lesser secure version for international visitors.)
Archived Comments
Boggles me you can write openly about CF8 and no-one seems to be allowed to (NDA and all that).
They are very useful however and I hope you are on the CFWACK 8 team!
Peter - you are aware that you cna download CF8 from Labs, right? It has been open for a while now. You are only disallowed from blogging about what happens in the _internal_ testing program. Everything I've blogged about is open.
Except - I used toBinary in cfcontent to serve up a PDF. That doesn't work on the labs version. This was a mistake on my part and someone else noted it. I pinged Adobe and they said this was fine.
LOL... I love it: "This space left intentionally blank."
We'd like to develop a site where we present a blank PDF form to a user, have them fill out the form, then "give" the form back to Cold Fusion for processing. If errors are detected, alert the user, and give them a chance to edit the form.
Historically, Adobe has made editing of PDF files possible if you fill the form out and print it, but editing/saving of forms required expensive tools to do.
Has anything changed in this area?
I'm just getting into forms myself. I know CF8 lets you process the form post. But are you saying you want to reshow the form on error and put flags in it? Not quite sure if you could do that. But again - I'm learning this stuff as I post, so I _definitely_ could be wrong.
Raymond, users come to fill out a regulatory document and submit the document (PDF) to a state agency. Ideally, the user logs on, picks a PDF to fill out, we pre-fill all the standard stuff we can, then download the PDF to the user's computer/browser to fill out. The user fills the form out and posts the PDF back to the web site. We process the filled out form, and either accept it (if filled out properly) or repeat the process with the user (download to computer/browser, re-edit, re-upload) until the form is properly filled out.
Historically, what has precluded this from happening is that users use Acrobat Reader. For marketing/licensing reasons, Adobe requires users to have Acrobat to edit forms and save them in this way.
I'm wondering if, with the tighter integration of CF and PDF files, has Adobe made form editing possible to the masses who use Acrobat Reader, not Acrobat itself. My guess is no, which means web developers who don't control the client desktop still can't develop around the idea of users filling out PDF files online. But maybe I'm wrong - that is what lead to my post.
Kurt
Kurt, by "edit" do you mean fill out the form? I swear I remember filling out forms with just Reader.
This is going a bit far afield from the subject of this post, but Kurt, I think you'll find that CFPDFFORM (also new in CF8) does what you want. While Ray's not written about it yet, you can read about it yourself either by getting the docs (available free at the labs site, click the "product details" tab on the CF page), or via the CFQuickdocs site, which has a new version for CF8. Here's the link directly to the CFPDFFORM tag:
http://www.cfquickdocs.com/...
And Peter, really, many people are writing openly about CF8 (myself included). Ray's right: beta participants are not to write about anything discussed on the beta forums. Everything else is fair game--and the fact that the docs are so publicly available further testifies to this.
Still, since so many people never read the docs, blog entries like this are a great way to get people to learn about what's new. There's certainly a LOT in CF8! :-)
As for CFPDFFORM, I'm sure Ray will be writing about it soon. It'll be a great continuation of this series. Thanks again, Ray.
Hey Ray, great stuff as always, but here's something I've not been able to find an answer to: how can you REMOVE a password? I've not found a way. I've had to open a file protected this way in Acrobat, and set the "file>document properties" to have "no security" for the "security method". Was this just left out in CF8? Or have you heard it was for some reason impossible to do programmatically?
I haven't tried this - but did you try providing the old password, and setting new password to ""?
Sorry, should have yes, I'd try that. Thanks for the fast reply! :-)
So wait - did you try it? Or are you saying you will try it?
Failure in my english (just typing fast). Meant to use the past perfect participle. :-)
"I'd *tried* that".
In other words, no, setting the newOwnerPassword or newUserPassword to the empty string does NOT remove the security setting. Seems a one way trip. :-)
Would love to hear if anyone learns otherwise. :-)
I downloaded Acrobat 8 Professional for evaluation to try out it's forms creation/conversion features. It seems that with Version 7 and newer you get a separate product bundled (and integrated) with acrobat called LiveCycle Designer. You can click on the forms toolbar and it opens LiveCycle to convert your PDF to a dynamic form (you're no longer in acrobat). then if you want users that only have acrobat reader to fill out the form, save it and submit back to the server you can "distribute" the form using a wizard. This process switches you back to Acrobat to apply security and modify the submit button. I found this to be problematic (it seems to force an email submit), so when I found out what was going on I opened up my dynamic form in Acrobat and from the Advanced menu you can select "Enable Usage Rights in Adobe Reader" which will allow reader-users to save the form all filled out to be submitted or emailed later. Also, it doesn't mess up your submit button.
I am looking into the dynamic password protecting and was wondering two things about it.
1- can you set the file to open for the password ONLY IF the date is less than or equal to [whatever I set it]?
2- can I restrict the user from 'saving' the file? [grey out the save button]?
Thanks in advance
William
1) I do not think you can do date restrictions.
2) Save is not an option as far as I know.
hi ray,
nice article. do you know a way to access a password protected file via cfcontent?
what i need to do is ...
deliver a pdf for viewing online (in the browsers window) but when the user downloads the pdf he should not be able to open it (because he doesn't know the password)
any ideas?
thx!
reinhard
The thing is - if the user is viewing the pdf in their window, they have access to it. Period. (AFAIK) So at that point, it is too late. You can always provide them with a sample, like 1-5 pages, and have the full PDF password protected.
that's true. when the pdf is in the browser window the users has access. that is not the problem. i was thinking about finding a way to have the server provide the password for the user but not showing it to the user. so the pdf is opened and displayed when viewed with the browser (cf-app) but it is useless to save the document as the user never actually knew the password, so he can't reopen the pdf when the browser context is not available.
I don't think it works that way. Even if it did, once I recognized tht you had had done this, I (the bad guy) would simply cut and paste. Or if you blocked Copy, I'd print screen.
cut&paste would be disabled and print screen can't be blocked if something can be viewed. so this is okay.
i just need to have a possibility to pass the password to the pdf (programmatically with cf) when viewed with the browser ... any ideas?
Well you can always remove the password from the pdf using <cfpdf> and then pass that binary data to cfcontent. It would be a bit slow though.
Note that on my Mac, Firefox never views the PDF in browser. It _always_ downloads it.