Protecting PDF files



Use the protect action to password-protect, set permissions, and encrypt PDF documents for security.

Setting passwords

ColdFusion supports two types of passwords: an owner password and a user password. An owner password controls the ability to change the permissions on a document. When you specify an owner password, you set permissions to restrict the operations users can perform, such as the ability to print a document, change its content, and extract content. The following code creates an owner password for a document:

<cfpdf action="protect" newOwnerPassword="splunge" source="timesheet.pdf" 
    destination="timesheet.pdf" overwrite="yes" permissions="AllowPrinting">

To password-protect a document, set the user password. A user password controls the ability to open a document. If you set a user password for a document, any person attempting to open the file is prompted to enter a password. The following example sets the user password for a document:

<cfpdf action="protect" newUserPassword="openSesame" source="timesheet.pdf" 
    destination="myTimesheet.pdf">

In the previous example, no restrictions apply to the PDF document after the user enters the correct password. To restrict usage and password-protect a document, add a user password and an owner password. Use the owner password to set the permissions, as the following example shows:

<cfpdf action="protect" newUserPassword="openSesame" newOwnerPassword="topSecret" 
    source="timesheet.pdf" destination="myTimesheet.pdf" overwrite="yes" 
    permissions="AllowPrinting>

In the previous example, a person who enters the user password (openSesame) can print the document only. A person who enters the owner password (topSecret) is considered the owner of the document, has full access to the file, and can change the user permissions for that file.

Setting permissions on a PDF document

To set permissions on a PDF document, specify a newOwnerPassword. Conversely, you cannot set the newOwnerPassword without also setting the permissions attribute. Only an owner can change permissions or add passwords. For a list of permissions that an owner can set for PDF documents, see cfpdf in the CFML Reference.

Except for all or none, owners can specify a comma-separated list of permissions on a document, as the following example shows:

<cfpdf action="protect" permissions="AllowinPrinting,AllowDegradedPrinting,AllowSecure" 
    source="timesheet.pdf" newOwnerPassword="private" newUserPassword="openSesame" 
    destination="myTimesheet.pdf">

In this example, a user must enter the password openSesame before opening the PDF form. All users can print the document at any resolution, but only the owner can modify the document or change the permissions.

Encrypting PDF files

When you specify the protect action for a PDF file, ColdFusion encrypts the file with the RC4 128-bit algorithm by default. Depending on the version of Acrobat running on the ColdFusion server, you can set the encryption to protect the document contents and prevent search engines from accessing the PDF file metadata.

You can change the encryption algorithm by using the encrypt attribute. For a list of supported encryption algorithms, see cfpdf in the CFML Reference.

The following example changes the password encryption algorithm to RC4 40-bit encryption:

<cfpdf action="protect" source="confidential.pdf" destination="confidential.pdf" 
    overwrite="yes" newOwnerPassword="paSSword1" newUserPassword="openSesame" 
    encrypt="RC4_40">

To prevent ColdFusion from encrypting the PDF document, set the encryption algorithm to none, as the following example shows:

<cfpdf action="protect" source="confidential.pdf" encrypt="none" destination="public.pdf">

To decrypt a file, provide the owner or user password and write the output to another file. The following code decrypts the confidential.pdf file and writes it to a new file called myDocument.pdf:

<cfpdf action="write" source="confidential.pdf" password="paSSword1" 
    destination="myDocument.pdf">