locked
Static Files - STOP Anonymous Access RRS feed

  • Question

  • User-1059771271 posted

    I wanted to prevent the static files under wwwroot folder being accessed anonymously.

    How can I achieve this for all files under wwwroot folder?

    (I tried removing UseStaticFiles() method but no luck)

    Tuesday, December 17, 2019 3:17 PM

Answers

  • User475983607 posted

    Thanks.  But here I have 25 files & need to create 25 methods for serving them authorized.

    Can I make a folder fully enable for authorized access only?

    A standard programming pattern is using an input parameter to pass information to the a method.    

    [Authorize]
    public IActionResult BannerImage(string file)
    {
        var file = Path.Combine(Directory.GetCurrentDirectory(), 
                                "MyStaticFiles", "images", file);
    
        return PhysicalFile(file, "image/svg+xml");
    }

    I'm not sure what kind of files you are storing but you might need a few more parameters and additional logic to accomplish this task.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, December 17, 2019 4:21 PM

All replies

  • User475983607 posted

    I wanted to prevent the static files under wwwroot folder being accessed anonymously.

    How can I achieve this for all files under wwwroot folder?

    (I tried removing UseStaticFiles() method but no luck)

    The official static file documentation in ASP.NET Core covers this scenario.  Store the files outside the wwwroot directory and use a secured action to return the file.

    https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-3.1#static-file-authorization

    Tuesday, December 17, 2019 4:03 PM
  • User-1059771271 posted

    Thanks.  But here I have 25 files & need to create 25 methods for serving them authorized.

    Can I make a folder fully enable for authorized access only?

    Tuesday, December 17, 2019 4:14 PM
  • User475983607 posted

    Thanks.  But here I have 25 files & need to create 25 methods for serving them authorized.

    Can I make a folder fully enable for authorized access only?

    A standard programming pattern is using an input parameter to pass information to the a method.    

    [Authorize]
    public IActionResult BannerImage(string file)
    {
        var file = Path.Combine(Directory.GetCurrentDirectory(), 
                                "MyStaticFiles", "images", file);
    
        return PhysicalFile(file, "image/svg+xml");
    }

    I'm not sure what kind of files you are storing but you might need a few more parameters and additional logic to accomplish this task.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, December 17, 2019 4:21 PM
  • User-1059771271 posted

    Thank you Mgebhard.  It makes sense, I can create few method which will handle multiple file types.

    [Authorize]
    [Route("/{file}")]
    public IActionResult Static(string file)
    {
    if (string.IsNullOrEmpty(file))
    return BadRequest();

    var filePath = Path.Combine(Directory.GetCurrentDirectory(), "StaticFiles", file);

    if (!System.IO.File.Exists(filePath))
    return BadRequest();

    string contentType = "text/html";

    if (file.EndsWith(".jpg"))
    contentType = "image/jpeg";

    if (file.EndsWith(".css"))
    contentType = "text/css";

    return PhysicalFile(filePath, contentType);
    }

    Tuesday, December 17, 2019 4:40 PM
  • User-474980206 posted

    you can write simple middleware, check if the request is for the static and check authentication,.

    if you are using standard authentication then just tweak the static file handler:

            app.UseStaticFiles(new StaticFileOptions
            {
                OnPrepareResponse = (context) =>
                {
                    if (!context.Context?.User?.Identity?.IsAuthenticated)
                    {
                        throw new Exception("Not authenticated");
                    }
                }
            });


     

    Tuesday, December 17, 2019 6:07 PM