shared access signatures for blob

Question

hello,

i'm trying to create an app for which a user should be registered and then he has the possibility to save some blob objects. so far no problem, now i want that the saved blobs are only "visible" and accessable for the one who saved it in the blob storage. i thought about using shared access signature, is this the technique i has to use or not?

another question, if a user clicks my linkbutton a pdf file opens (container is public). i do this with Response.Redirect(uri of blob). problem: there is the whole adderss of the pdf in the adress bar. so if i copy this adress out and do logout and then try to copy the address of the blob into the address bar, the pdf opens without any problem... will this problem also be solved by implementing the shared access signatures?

greatz
flo

---

Yes, i'm living in the cloud

Answer 1

Hi flo,

You could use the shared access signature for this, it depends on how secure you want them to be. The point of the shared access sig is that it lets whoever knows the URI (including the signature) of the resource access the resource without having to use an authorization header (i.e. use a custom client). So you can send the signed URI of a resource to the user and they'll be able to use it in Internet Explorer.

The security concern here is if that person distributes the URL, they also distribute the signature and thus the ability to access the resource. This is exactly the point of them, that standard clients can access the resource easily and the link is all the authorisation you need.

You'll be able to use this technique, but be sure your users know that they must keep their URL to themselves!! However I believe you're already implementing a custom login mechanism (you mention logout), and so it may be a better and more secure approach to stream the file to the user using ASP.NET, checking that they are logged in and have access to the file by using some logic and maybe tablestorage.

As to your other question, not quite. Shared Access Signatures here will still let people download your resource without having to authenticate, as the authetnication code is in the URL. Instead, as above, a more secure approach is to stream the file from blob storage having checked that the user is logged into your ASP.NEt application. This could be achieved using the StorageClient rather than Response.Redirect.

http://blog.smarx.com/posts/new-storage-feature-signed-access-signatures

Thanks
BWC;

Answer 2

yeah i'm using tablestorage, but how can i stream the saved pdf to the user?

therefore i have to get the binary out of the blobstorage, how do i have to do this? before i used this Response.Redirect() i wanted to do it like you described, but i did not know the way how to 1. get the needed data out of the blob storage and then 2. stream it to the user who is logged on...

i want to implement the maximum possible security for my saved pdf files, because of that i thought about shared access signature and allready read the blog from steve you mentioned. My two problems are mentioned above ;-) they may sound easy, but i can't catch the solution...

so if i use shared access signature, and a user gives the address to a blob to another one, i can not avoid that the unauthorized user accesses the file?

greatz
flo

---

Yes, i'm living in the cloud

Answer 3

Hi Flo,

That's right, as soon as the url is "in the wild", you've lost control over who can access it. It's a valuable tool, but it has its own place and you must be careful how you use it.

So in order to get the data needed out of blob storage, use the StorageClient utility, and then get its bytes and write them to the Response.OutputStream

I don't have any source code to hand, this post has a pretty good example (spot the error though! so check the answer) about how to download a blob.

http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/bc83bf22-c02f-4246-965e-7379f6778355

Sorry I couldn't pull together a better example

BWC;

Answer 4

no problem, so far you helped me. will report after i've finished my work.

greatz
flo

---

Yes, i'm living in the cloud

Answer 5

i solved the problem with full qualified name of ebook shown in address bar by using following code:

// create container to get properties and byte stream of saved ebook
BlobStorage blobStorage = BlobStorage.Create(StorageAccountInfo.GetDefaultBlobStorageAccountFromConfiguration());
BlobContainer blobContainer = blobStorage.GetBlobContainer("test");
BlobProperties prop = new BlobProperties(MyFile.Filename);

// CreateContainer (false if it allready exists)
blobContainer.CreateContainer(null, ContainerAccessControl.Public);

// check if blob MyFile.Filename exists in Storage
if (blobContainer.DoesBlobExist(prop.Name))
{
    Stream pdfStream = new MemoryStream();
    var contents = new BlobContents(pdfStream);

    // get data out of Storage
    blobContainer.GetBlob(prop.Name, contents, false);

    // set ContentType of file to open
    Response.ContentType = "application/pdf";

    // get the Content of saved file in byte[]
    byte[] baPdf = contents.AsBytes();

    // open the saved pdf
    Response.BinaryWrite(baPdf);
}// if

greatz,
flo

---

Yes, i'm living in the cloud

Answer 6

Absolutely spot on!

The only other thing to point ou tis that you may consider using the ContentDisposition header to control how the application is opened (i.e. in Acrobat Reader or within IE with the Acrobat Plugin for IE)

For in IE (inline)

 

Response.AppendHeader("Content-Disposition", "inline; filename=myfile.pdf"); 

For in Acrobat (attachment)

Response.AppendHeader("Content-Disposition", "attachment; filename=myfile.pdf"); 

Thanks BWC;

Answer 7

thanks for the info, open in an attachment is a good idea ;-)
btw, the usage of ContainerAccessControl.Private should also work.

greatz flo

---

Yes, i'm living in the cloud