I have an asp.net application which does the following: loads data about audio files (file name, path and so on) from DB and shows them in table on the page. Application uses windows authentication (this cannot be changed).
I've added html 5 audio controls to my table cells so that users could play audio files without downloading them - actually, I don't want them to be able to download files at all.
Audio files come from two network-shared directories - one is accessible by all domain users, the second one is accessible only to specific user. Audio control requires the src to be a relative url - ok, fine, so I went to IIS manager and created two virtual directories under my application. For the second, highly protected directory, I'd set credentials which should have helped my application to access files.
Result seems quite strange to me: users see audio files from the first (accessible) directory preloaded and can play them; users cannot preload and cannot play files from the second directory with preset credentials.
Problem is definitely not in the audio src itself - it is well-formed. Seems like IIS is trying to access data in the second virtual directory under credentials of current domain user and not the one, whose login and password were set on folder setup.
Is there any way to overcome this problem? Unfortunately, granting access to this directory to all users is not a chance. Changing app pool identity to that same specific user also gave no results. App users and user account for the second folder are all in the same domain.
IIS access file via application pool identity not login user. So when you are running an application with network share directory, please change the app pool identity to a domain user that have permission to access both. Then you can restrict login user permission via authorization rule.
Related
We have some requirements where we want to allow our clients/ users to download files/ folders from our file server via browser/ web.
We have a many different directories created on our file server which is mapped to different clients. Which means that, every client has its own directory on our server. We have a main (root) directory for every single client/user. Which means that, every client’s files/folder are created under their respective main directory.
The only thing we need be sure is, whenever our client make a request to access/ download file, first we need to validate their credential (username/password are stored in our SQL server DB) and then we need to allow only those folder which is mapped for specific folder. (The folder mapping is again stored in our SQL server DB)
Which means that, after applying the credential by user/clients, they can only access their directory/ files. They cannot access other’s files/ directory.
Would anybody please do let me know how would I achieve this? All the suggestions would be appreciated highly.
Thanks in advance.
Since different users need to be authorized to access different directories, you cannot expose your files directly on the web.
Build a simple login with a custome MembershipProivder. That will allow you to autenticate against your database.
Since you know which directories the user has access to, you can fetch a listing of files and folders and present it in a ListView to the user.
You can write a HttpHandler to check user authorization and then serve the files to them.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.
There's a lot of questions floating around on here and the web, however I couldn't resolve my issue with them.
My app pool user is set to NETWORK SERVICE, and I've verified on the folder that it is has full access (Every permission is checked). However, when I initiate a GET request to download a file it says Access to the path is denied.
I'm using .NET 4 and webforms on IIS6.
So the problem ended up being that the file itself didn't have the NETWORK SERVICE user assigned to it as I dragged the files into that directory without having the web site create them.
I was under the impression that setting the user on a directory would affect files within.
I have an asp.net application. There is a folder in the project that users upload images and files to that folder.
I want to restrict users, that each user sees only his files. How can I do this?
Because files are uploaded in folder, users may access them by browsing file urls.
One way is you could store the files inside the username of a folder, and your parameter which allows you specify a path always assumes you are talking about after the username...much like how shared web hosting must work.
Regardless, you should secure each folder for each user if there was some flaw in your code or whatever...
e.g. the physical file structure with each users files
C:\TheProject\Uploads\UserA\Images
C:\TheProject\Uploads\UserB\Images
C:\TheProject\Uploads\UserC\Images
your web app's url where you show the files for the currently logged on user. If UserA is logged on, show the files inside the appropriate folder etc
Happy paths:
http://example.com/browsefiles/?path=images
http://example.com/browsefiles/?path=docs
Unhappy paths:
http://example.com/browsefiles/?path=../UserA/images
http://example.com/browsefiles/?path=../../web.config
So obviously put some very tight checking around what input you accept...perhaps even a whitelist instead...if the query by the user doesn't match the whitelist, block it. In this scenario, you'd probably want to err on the side of blocking a legitimate request than allowing a malicious one.
Edit
If users can access the files without going through your web application (can we assume Intranet app here???) perhaps through a file share/network share/ftp then you could try a couple of options
Each user in your app is a user on the server (local user) so they would have a username and password on the server (which your app would need to authenticate against) but would allow you to set permissions on each folder/file on the server to a local user, OR
This might be easier if you have Active Directory setup and can use Windows Authentication and that way you could both impersonate your web app and secure the files/folders using the user's active directory account.
You might need to consult http://serverfault.com if you need help with Active Directory or Accounts on Windows servers
You have to create web.config in image folder and use FormsAuhentication
in web.config :
<authorization>
<deny users="?"/> // anonymous user
</authorization>
I'm creating a website which besides other tasks will play some recorded files. these recorded files are on a remote server with private ip address, so I've created a virtual directory which points to a share directory on the mentioned server.
now I'm able to playback the files using client side controls like wmplayer. BUT the problem is sound file urls are accessible without any authentication and authorization.
is there anyway to enforce .net authorization and authentication (in web.config) on this virtual directory? I also should mention I can not use solutions like httphandlers to download the files because file are streamed using iis so user could navigate on the file without downloading all of it)
thanx
Open IIS (I suppose you use IIS7.0 or later). Find the mentioned virtual directory and click on it. In the listed features find Authentication, right click on it and press Open Feature. Then disable anonymous authentication for this folder. Does the problem persist?