securing files by putting them behind a secured network connection

Question

I'm developing an desktop application in JAVA (J2SE).
my App. stores some data about users. the App. is multi user and will be installed on a single station.
each user can have some documents that should be stored in file-system (e.g. image, audio, ...)
I need to protect these files from be accessed directly by unauthorised users.
Users are defined in app itself (i need files be accessible only via application)

How can I protect these files from unauthorised access?

I thought about storing files in another system and access them via network.
How Can I do this (store/ retrieve files in a secured network computer) in JAVA?

Is this a good method? any better solution?

Thanks

EDIT:
decription:
My users are defined in application: all users use same computer; all users login with the same username in OS; each user logs in app with their own user/pass; each user should have access to files that application decides.
So users must not be able to open a file-manager and traverse through directories that files are stored in & copy them (while doesn't have access to them)

Answer 1

Instead of rolling out your own security solution - which will be cumbersome, almost certainly buggy, and with a high probability vulnerable to various attacks - simply use the Operating System's filesystem permission.

The easiest way to do that is to write your user data to the home directory of the current user. Other users will not be able to access it unless the user explicitly configures the directory's permissions to allow them.

If you want, you can also further restrict the permissions of your directory.

Answer 2

One option would be to use SFTP. This way you can leverage the SFTP security features. But off course this will need some plumbing code to be written around it.

Answer 3

Since all users use the same OS login account, it is impossible to use OS's facilities to enforce access control, since the OS recognizes everyone as one person. I can only think of one (not-so-good, or quite bad actually) solution that doesn't require another computer: encrypt the files with each of the user's password. However, this means that all the files have to be re-encrypted every time the user changes password, which introduces unacceptable delays and uses a lot of computational power.

There are plenty of other methods to hide the information from the user and only allow access from your program. Hiding can prevent most mediocre users from accessing data, but determined people with programming skill will be able to make the data accessible. A simple example is to xor all the bytes in the program, and/or permute the bytes with a number of fixed pattern. If the data is not that critical, this is a possible "solution".

I am not sure if there are any other method without requiring another computer.

So that leaves only the option of storing the information on a separated computer. I think it is possible, but I don't know the details here.

---

Then there is this problem: user A opens a file from his app account, work with it, then he logs out of the app account, and logs out of common OS account, then user B logs into the common OS account. You have to make sure that after user A logs out of app account, user B cannot see the file user A was working on.

I am not sure if this should be taken care of the app or not.