Best practise is to create a servlet just like you described, place it in the same web application as your portlet and just link/redirect to it from portlet. Because servlet can share session with your portlet (same web app) you can either secure downloads with some kind of token id passed in querystring and token placed in session. You can even generate content displayed inside your portlet that way
Refer to attachments in ForumsPortlet implementation.
Ok, I will try that! Thanks for the quick answer!