locked
Forms Authentication to restrict direct access to file download RRS feed

  • Question

  • User598741127 posted
    hi, i have one problem. i m using forms authentication for my pages which consist of downloadable links (doc files, pdf files etc.,). the thing is, if i restrict access to the page, it works fine ( redirects anonymous users to login page). however, if someone types the url of the documents directly (ex:- mywebserver/myapp/downloads/documentname, it directly downloads without authenticating. any way to restrict direct downloading of files? thanks
    Thursday, April 22, 2004 8:51 AM

All replies

  • User600176218 posted
    You would have to map the PDF extention to the ASP.NET process in your IIS control panel. This will result in slightly degraded performance for each PDF served up, but your users shouldn't notice unless your PDFs are many many MB or there are a lot being requested at once.
    Thursday, April 22, 2004 9:44 AM
  • User598741127 posted
    ya, can you tell me how do i do that exactly. should i set NTFS permission or something? thanks.
    Thursday, April 22, 2004 10:07 AM
  • User600176218 posted
    Open the IIS control panel, and right-click on the site you wish to change. Choose "Properties" from the menu. Atthe first screen, click the "Configuration" button. On the App Mappings tab (the first tab in IIS 5), add an entry for PDF. Use the same information as for ASPX.
    Thursday, April 22, 2004 12:56 PM
  • User598741127 posted
    Hi, thanks for the info. when i try to add entry for PDF, what is the Executable path i need to give. the OK button is disabled and hence i couldnt succeed in mapping PDF, DOC files. thanks
    Friday, April 23, 2004 12:29 AM
  • User598741127 posted
    never mind, i got it work fine. it was a bug in IIS 5.1 that is, if you try to add an application mapping, as you select the location from browse, the OK button is disabled. if you see the location in the textbox, it will be something like C:\Windows\..\aspnet_isapil.dll. whilst the location is like that, the ok button is disabled. just when you click on the textbox, the full path is displayed and thereafter the OK button gets visible. thanks. i put this just in case it might be useful for someone.
    Friday, April 23, 2004 5:05 AM
  • User-2133977580 posted

     Hi I have the same problem right now where customer can download directly to the file. I set the HttpHandler as well as the mapping on the IIS, but my download link is not working now. I received this error:

    "This type of page is not server."

    Could you please help? Maybe I set the HttpHandler wrong. Thanks in advance. 

    Friday, January 18, 2008 8:29 PM
  • User1719464407 posted

    hi, try this

     

    File Storage

    Another method would be storing the file in a folder on the Web server. If the file were stored in the Web application directory structure you could secure it using NT ACLs. While this method works for an intranet where you have administrative access to the machine, it does not work well if you are hosting a site with an ISP. An ISP may not be able to provide you with the level of security you need for your application.

    Another file storage method was storing the files in a folder outside of the Web application's directory structure and streaming the file to the browser. This would be accomplished much in the same way as the database solution, where you could store security information in a table, but the actual file resides on the Web server. You would do your security checks in your code and send the file to the user once they authenticated for access to the file. This method would accomplish restricting the file for downloading directly from typing in the URL of the file since the code is handling the file stream. Again the drawback to this method is you have to rely on an administrator to configure the folders that will reside outside of the Web directory structure.

    Another method was to store the file within the directory structure and use the web.config file to restrict access to the directory in the following manner:

    <location path="SecureDirectory">
    <system.web>
    <authorization>
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    This method will secure any requests that are being processed by ASP.Net, the problem is it will not secure files that are not being processed by ASP.Net; for example, pdf, doc, xls, and other files you wish to secure. A way around this is to change the settings in IIS so all file extensions are processed by ASP.Net. Again, in the ISP case they may not want to do this because it can have some performance implications.

    One Solution

    So how do you provide access to files and ensure they cannot be accessed directly by typing in a URL? The following blocks of code will cover one method of doing this using a combination of all the methods described above. This can be done entirely via code.

    First, select a location for storing your files. As in the example web.config file mentioned previously, we'll select the "SecureDirectory" folder off of the Web root. We will keep the web.config modification to restrict access to this folder by unauthorized groups. We then create a database table to store security information for our file.

    <center>

    FILE_NAME

    ACCESS_ROLES

    myfile.doc

    admin;managers

    </center>

    This table will contain the names of the files that are uploaded to our secure directory and the security roles that can access the file. Notice the actual file is not stored in the database just the associated security information.

    The File Upload Code

    Now that you have your table defined to store security information for your file, we need to create methods for uploading and downloading the documents from the server. We will create a webform with a file browse dialog to browse our local system and upload it the server. In your Webform.aspx file add the following:

    <INPUT id="cmdBrowse" type="file" runat="server" size="50" NAME="cmdBrowse">
    <asp:LinkButton id="cmdUpload" runat="server" Cssclass="CommandButton">
    Upload File
    </asp:LinkButton>

    Then in our code behind page, Webform.aspx.vb, we need to handle the file upload. The following code will take the file that is being uploaded, save it into our secure directory as defined in the web.config file, and add the extension "resources" to the file so it will secure the file from a directly typed URL. You could use any extension like .vb, .acsx, .config, .resources, .resx or any file type that will be processed by the .Net handler.

    Private Sub cmdUpload_Click(ByVal sender As System.Object, _
    ByVal e As System.EventArgs) Handles cmdUpload.Click
    SecureFileUpload()
    End Sub
    Public Sub SecureFileUpload()
    Dim strFileName As String
    Dim strFileNamePath As String
    strFileName = System.IO.Path.GetFileName(cmdBrowse.PostedFile.FileName)
    'now save the file as an resources file.
    strFileNamePath = Request.MapPath("SecureDirectory") & "\" & strFileName & ".resources"
    If File.Exists(strFileNamePath) Then
    File.Delete(strFileNamePath)
    End If
    cmdBrowse.PostedFile.SaveAs(strFileNamePath)

    End Sub

    So now if a person tries to go to the file directly by typing in the URL they will be greeted by a login prompt and an eventual 401.2 status message of "Access is denied" 

     

    Downloading the File

    So now that we have the file on our Web server and it can't be downloaded by browsing to the file URL, how are we supposed to get the file to the people who are supposed to get it?

    First, you need to pass the file that you want to download and check it against your database to see if they have permissions on the file. If they have permissions for the file, then proceed with the download. You can write any security check you want, you may want to run a stored procedure to check to see if your user is a member of a certain role for your portal. Since the security mechanism will vary depending on the application, we will call a CheckSecurity method that returns either true or false depending on whether or not the person has access to the file as defined by the table earlier in this article.

    If CheckSecurity(filename, userole) Then
    SecureFileDownload(filename)
    Else
    'change the http response to access denied or some other error.
    End If

    After checking the permissions in the database, if the user has access to the file we then call the SecureFileDownload method which accepts the file path as the parameter, maps the file to the physical directory on the server, then sends the download to the client without the resources extension allowing them to download the file.:

    Public Sub SecureFileDownload(ByVal inFile As String)
    Dim strFileNamePath As String
    strFileNamePath = Request.MapPath("SecureDirectory") & "\" & inFile
    Dim myFile As FileInfo = New FileInfo(strFileNamePath)
    Response.Clear()
    'now we send the file header minus the resources extension.
    Response.AddHeader("Content-Disposition", "attachment; filename=" & _
    Replace(myFile.Name, ".resources", ""))
    Response.AddHeader("Content-Length", myFile.Length.ToString())
    Response.ContentType = "application/octet-stream"
    Response.WriteFile(myFile.FullName)
    Response.End()

    End Sub

    regards

    az

    http://karachishopping.aspdotnet.sk

     Home Page

    Wednesday, June 17, 2009 3:54 AM
  • User1719464407 posted

     for downloading

     

    Downloading the File

    So now that we have the file on our Web server and it can't be downloaded by browsing to the file URL, how are we supposed to get the file to the people who are supposed to get it?

    First, you need to pass the file that you want to download and check it against your database to see if they have permissions on the file. If they have permissions for the file, then proceed with the download. You can write any security check you want, you may want to run a stored procedure to check to see if your user is a member of a certain role for your portal. Since the security mechanism will vary depending on the application, we will call a CheckSecurity method that returns either true or false depending on whether or not the person has access to the file as defined by the table earlier in this article.

    If CheckSecurity(filename, userole) Then
    SecureFileDownload(filename)
    Else
    'change the http response to access denied or some other error.
    End If

    After checking the permissions in the database, if the user has access to the file we then call the SecureFileDownload method which accepts the file path as the parameter, maps the file to the physical directory on the server, then sends the download to the client without the resources extension allowing them to download the file.:

    Public Sub SecureFileDownload(ByVal inFile As String)
    Dim strFileNamePath As String
    strFileNamePath = Request.MapPath("SecureDirectory") & "\" & inFile
    Dim myFile As FileInfo = New FileInfo(strFileNamePath)
    Response.Clear()
    'now we send the file header minus the resources extension.
    Response.AddHeader("Content-Disposition", "attachment; filename=" & _
    Replace(myFile.Name, ".resources", ""))
    Response.AddHeader("Content-Length", myFile.Length.ToString())
    Response.ContentType = "application/octet-stream"
    Response.WriteFile(myFile.FullName)
    Response.End()

    End Sub

     

    regards

    az

    http://karachishopping.aspdotnet.sk

    Home Page 

    Wednesday, June 17, 2009 3:57 AM
  • User-1199946673 posted

    You just reopened a thread started in 2004 and the last reply was from january 2008! You think they still waited for somebody to answer this?

    Wednesday, June 17, 2009 4:14 AM
  • User1719464407 posted

     the way you looked, someone else will come here too :)

     i've tried to put a solution which can be done programmatically instead of going to IIS properties

     

    regards

    az

     Home Page

    Wednesday, June 17, 2009 4:21 AM
  • User1751347886 posted

    azrawasia

    First, you need to pass the file that you want to download and check it against your database to see if they have permissions on the file. If they have permissions for the file, then proceed with the download. You can write any security check you want, you may want to run a stored procedure to check to see if your user is a member of a certain role for your portal. Since the security mechanism will vary depending on the application, we will call a CheckSecurity method that returns either true or false depending on whether or not the person has access to the file as defined by the table earlier in this article.

    If CheckSecurity(filename, userole) Then
    SecureFileDownload(filename)
    Else
    'change the http response to access denied or some other error.
    End If

    [May 2014: No Thread is Too Old]

    So...What actually calls "CheckSecurity()"? What file is it in? I need it to run whenever one of the special files is requested.

    Thursday, May 1, 2014 4:48 PM