Consider this scenario: I have a REST API built with Web API 2.x and authentication is managed by ASP.NET Identity. Users can upload attachments as part of their records, which are all stored on disk in the root folder, under a directory named Attachments.
Now at some point users can generate PDFs from their records. The PDF includes links to attachment files, and when you click them the static file is happily served. For example: attachments/2018/01/somefile.jpeg.
What I need to do, is serve these media files ONLY to authorized users. And basic authentication isn't enough, I can't just say serve media files for all logged-in users. I need to query the database, check user assignments and/or other security measures and decide if the file should be served or not.
I've been looking for a viable solution. How can I handle such routing through Web API and serve static content only to authorized users? It's worth mentioning that I don't use ASP.NET MVC in my project. It is just Web API 2.x with an Angular 1.6 app written in TypeScript.
Following approach should work for you.
Step 1-
Deny the direct access permission on your attachment folder in your web.config to all users like following.
<location path="attachments">
<system.web>
<authorization>
</authorization>
</system.web>
</location>
Step 2: Create a common file download API, this should be your single point for downloading any file from server.
All your secured link should look like /Download/somefilename
You implement your data level security in your Download API, by checking the request file against the logged in user.
Related
How to access webservice / asmx file in wordpress?
WordPress has no relationship with Web Service. You can freely access the sub-folder as you wish (same as other websites).
However in most cases, directory listing is prohibited in most servers, as it will cause security issues.
I have an asp.net application. There is a folder in the project that users upload images and files to that folder.
I want to restrict users, that each user sees only his files. How can I do this?
Because files are uploaded in folder, users may access them by browsing file urls.
One way is you could store the files inside the username of a folder, and your parameter which allows you specify a path always assumes you are talking about after the username...much like how shared web hosting must work.
Regardless, you should secure each folder for each user if there was some flaw in your code or whatever...
e.g. the physical file structure with each users files
C:\TheProject\Uploads\UserA\Images
C:\TheProject\Uploads\UserB\Images
C:\TheProject\Uploads\UserC\Images
your web app's url where you show the files for the currently logged on user. If UserA is logged on, show the files inside the appropriate folder etc
Happy paths:
http://example.com/browsefiles/?path=images
http://example.com/browsefiles/?path=docs
Unhappy paths:
http://example.com/browsefiles/?path=../UserA/images
http://example.com/browsefiles/?path=../../web.config
So obviously put some very tight checking around what input you accept...perhaps even a whitelist instead...if the query by the user doesn't match the whitelist, block it. In this scenario, you'd probably want to err on the side of blocking a legitimate request than allowing a malicious one.
Edit
If users can access the files without going through your web application (can we assume Intranet app here???) perhaps through a file share/network share/ftp then you could try a couple of options
Each user in your app is a user on the server (local user) so they would have a username and password on the server (which your app would need to authenticate against) but would allow you to set permissions on each folder/file on the server to a local user, OR
This might be easier if you have Active Directory setup and can use Windows Authentication and that way you could both impersonate your web app and secure the files/folders using the user's active directory account.
You might need to consult http://serverfault.com if you need help with Active Directory or Accounts on Windows servers
You have to create web.config in image folder and use FormsAuhentication
in web.config :
<authorization>
<deny users="?"/> // anonymous user
</authorization>
I'm creating a website which besides other tasks will play some recorded files. these recorded files are on a remote server with private ip address, so I've created a virtual directory which points to a share directory on the mentioned server.
now I'm able to playback the files using client side controls like wmplayer. BUT the problem is sound file urls are accessible without any authentication and authorization.
is there anyway to enforce .net authorization and authentication (in web.config) on this virtual directory? I also should mention I can not use solutions like httphandlers to download the files because file are streamed using iis so user could navigate on the file without downloading all of it)
thanx
Open IIS (I suppose you use IIS7.0 or later). Find the mentioned virtual directory and click on it. In the listed features find Authentication, right click on it and press Open Feature. Then disable anonymous authentication for this folder. Does the problem persist?
Environment: IIS 6.0, ASP.NET 3.5
I have the need to secure just one file with windows authentication and just want to ensure that I understand my options correctly.
Through IIS turn off anonymous
access for the file I want to
secure, and make sure Integrated
Windows Security is checked
Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication
Is there a way to setup the web config to control access to a single file? Will any of the security attributes help me here to lock down the single file?
Thanks in advance
Kevin
Put the file in its own directory and drop a web.config file in there that has the authorization configuration setup for that directory to require windows authentication
You can't mix authentication providers for a single app. So, eg., you can't have Forms Authentication for ~/ and Windows Authentication for ~/Secure. You may be able to get around it by making ~/Secure another app in IIS - but that greatly complicates deployment and testing IMO.
I've run into this problem while trying to secure ASMX services with basic authentication from a domain, but being in the same app as Forms Authenticated pages. I ended up hacking in a basic auth challenge in the ASMX service itself to prompt for credentials.
This should be possible using the <location> tag.
http://support.microsoft.com/kb/316871
I know in the past I have done the opposite and used it to enable access to a single resource and denied all others to unauthenticated users. Should work the same in reverse.
If you want the web.config to apply then you need to ensure that the directory in which it is placed is an IIS virtual directory. That ought to do the trick as the web.config's security restrictions will govern all files in that directory.
I have a system that allows the users to download some files, the user needs to login first and then he is autorized or not to download. The download page is Download.aspx?FileId=42 and the code within this page opens the file and keeps sending small chunks to the user. We made this because we needed to guarantee that only authorized users could download.
We recently moved this system to IIS7 and it is working properly, but I don't like the idea of having a custom c# code sending the chunks to the client, so I would like to know if there is a way of when a request to file.zip is made, a custom code is executed to authorize or not, and if it is authorized, I just tell IIS7 to proceed the download instead of running the code inside Download.aspx.
Is this possible?
Thanks!
Do a redirect to the zip file. Hide the zip file in a obscure location with non-regular naming. "Security through obscurity."
IIS7 has authorization that uses Forms or Windows authentication for all file types - if it's running in integrated pipeline mode. The syntax is just like that for ASP.NET applications, but it's in a different place in web.config, <system.web>. The rules can also be added using the IIS7 admin interface. There are a couple of differences, IIS7 URL authorization evaluates rules from the parent down and deny rules take precedence.