Develop Reference

Access Denied for the signed URL .NET CloudFront

I'm trying to set up a cloudfront for my s3 bucket that will only allow users to read or write with the signed URLs.(read the file, upload, and download)
The S3 doesn't have public read/write permissions.
CloudFront is:
Http and HTTPS.
It has Trusted Signer as self.
It has Restricted View access.
It has a origin domain name as origin-domain-name/public.
Lastly, it has a origin access identity as origin-access-identity/cloudfront/XXXXXXX.
I have my cloudfront pem file and aws private key id.
My c# code to generate signed url is:
StreamReader sr = new StreamReader("../../keys/CloudFront-PrivateKey.pem");
var url = AmazonCloudFrontUrlSigner.GetCannedSignedURL(
AmazonCloudFrontUrlSigner.Protocol.http,
"http://xxxxxxxxxx.cloudfront.net",
sr,
"public/AddinJudgeIssue.png",
"<AWS Private Key ID>",
DateTime.Now.AddDays(2));
Each time when I execute the code, it generates the URL. However, when I copy and paste it to URL, it says "access denied".
First of all, does anyone have any idea about why this happening?
Secondly, this works somehow, can I use this same technique to upload assets to the bucket?
Thank you and apologize for my ignorance. I digged the aws whitepapers, but failed to find a straightforward guidance.

A look at the documentation suggests two problems:
"http://xxxxxxxxxx.cloudfront.net" should not include http:// because the field is distributionDomain and expects the domain name, not the base URL.
"public/AddinJudgeIssue.png" should have a leading / because this field is resourcePath. Paths begin with a / even though object keys don't.

After doing some experiment, I got it working. Although I used root credentials and pem keys to generate the signed URL, I still had to give public read/write access to my S3 bucket. That was the reason why I was getting access denied error. On Cloudfront setup, "restrict bucket access" option gives restriction to my bucket anyway.

How to verify a shopify webhook request in asp.net

Can someone explain how do I compute a HMAC
===============
To verify that the request came from Shopify, compute the HMAC digest according to the following algorithm and compare it to the value in the X-Shopify-Hmac-SHA256 header. If they match, you can be sure that the Webhook was sent from Shopify and the data has not been compromised.
Each Webhook request includes a X-Shopify-Hmac-SHA256 header which is generated using the app's shared secret, along with the data sent in the request.
I have the secret key... how can I combine the secret key + the data in the request to generate a HMAC

The easiest way is to use the ShopifySharp Library. You can use the Nuget package and install it in your project.
This is an example taken from the ShopifySharp website for validating webhooks:
NameValueCollection requestHeaders = Request.Headers;
Stream inputStream = Request.InputStream;
if(AuthorizationService.IsAuthenticWebhook(requestHeaders, inputStream, shopifySecretKey))
{
//Webhook is authentic.
}
else
{
//Webhook is not authentic and should not be acted on.
}
If you don't want to use ShopifySharp, you can see how they implemented it in the source code.

Encrypt and Decrypt documents through asp.net application

My asp.net application is in Web Server A and displays and let download MS-Word or PDF documents that are stored in Web Server B.
For security reasons, I was advised to encrypt and decrypt those documents when serving them up on the webserver A.
Could anyone give me some clue on how to do that?
I've never seen some utility before. My code just give value to a link control and let the user to click on it to display a MS-Word or PDF document, like:
Dim RemoteFolder As String
Dim RemoteFileName As String
RemoteFolder = "http://192.168.32.98/Application/Documents/"
RemoteFileName = "MyWordDocument.doc"
lnkOpenDocument.NavigateUrl = RemoteFolder + RemoteFileName

Using SSL might help, that protects all request/responses between the two servers. Otherwise .Net does have a encryption/decryption library under System.Security:
http://support.microsoft.com/kb/307010 also see this previous post What's the easiest way to encrypt a file in c#?
you can always grab the file from the user, encrypt using one of the above methods, and drop the encrypted file on webserver B. when reading it rather than link directly to the .doc file, link to another asp.net page, pass the ID of the file into that new page and have it pull the file from Webserver B decrypt it and display to the user.

WCF Certificate Authentication without installing on the Client

Our setup includes a WCF service and a number of clients written by us. Some of the clients include Silverlight applications, whereas others include Web and Windows applications.
I (think) I would like to authenticate clients based on X.509 certificates. Typically you would install a private key on the client to encrypt (aka digitaly sign) the messages. The server can the use the clients public key to de-crypt it to ensure the message has not been changed and prove the message is from who we expect (aka authenticated).
I dont want to install a certificate on a client machine. Its a hassel to deploy, and we cant really ask our clients to do it. I was speaking to someone the other day who sugested embeding the cert in a client assembly, reading it and using that. Is that possible?
It would be great if someone could point me to an example.
Thanks in advance,
David

Yes, you can load X509certificate2 by passing a certificate byte array with a password like
var certificate = new X509Certificate2(theByteArrary, "password");
To get the certificate byte array, you can simply copy paste the contents in .pfx file, which is a combination of .cer (public key) and .pvk (private key)
and then you can load this certificate on your client by doing:
var channelFactory = new ChannelFactory<IYourService>();
channelFactory.Credentials.ClientCertificate.Certificate =
clientCertificate;
If you use auto-generated client proxy, or you prefer configure the certificate via .config file then you might want to have a look at this from codeproject

Here is a suggestion. Could also be tweaked to use an embedded certificate.
http://www.codeproject.com/KB/WCF/wcfcertificates.aspx

asp.net media protection

Does anyone know a good practice of securing media for asp.net?
I need to host a variety of media that require permission to a view a specific image/video. i.e. a specific user may or may not have permission to view a media file - and this fact may be changed on the fly.
I don't care if they can download a media file that they have access to, I just don't want them to even be aware of items they should not have access to.
I've already considered url obfuscation - this seems quite lame to me.
I have form authenticated users (and I'm not willing to change this).
I would like to keep the media file folder structure unrelated to permissions.

Build an HttpHandler that all media must be accessed through. Then, prior to retrieving the file and sending it down to the user, you can perform any validations that you'd like. Keep all of your media outside of the main wwwroot path, or deny access to that folder using permissions.
More info on this topic here:
http://www.15seconds.com/Issue/020417.htm

I use an xml file like this to set which users/groups have access to a file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
<!ELEMENT file ANY>
<!ATTLIST file name ID #REQUIRED>
]>
<root>
<file name="file.doc" users="155,321" groups="grp5" />
<file name="file2.doc" users="321" groups="" />
</root>
files are stored above http root so they cannot be accessed by URL.
When a user tries to access GetFile.aspx?file=file.doc I load the XML, get the line with
XmlNode xnFile= XML.GetElementById(wantedFile);
, then I call a function
HasAccess(Context.User, xnFile);
Which checks if the user is logged in and compares the permissions, and if it is ok for this user to have the file, I read the files from disk and write them out with
FileInfo thisFile = new FileInfo(secretLocation + wantedFile);
Response.Clear();
Response.Buffer = false;
Response.BufferOutput = false;
Response.ClearContent();
Response.ClearHeaders();
Response.AddHeader("Content-Length", thisFile.Length.ToString());
Response.AddHeader("Content-disposition", "filename=" + thisFile.Name);
Response.ContentType = "application/none";
Response.WriteFile(secretLocation + wantedFile);
Response.Close();
Response.End();
Response.ClearContent();
Response.ClearHeaders();
Actually now I have more than a thousand files, and I think of writing the file data to the database as the XML got corrupted twice in 5 years, probably due to crashes or simultaneous use.

From your comment in the Spikolynn answer
I'm puzzled - how is this different than obfuscation? Would an authenticated user be able to share an image (which they are authorized for) with another authenticated but unauthorized user?
I guess that you try to prevent unauthorized sharing of media.
This is something a lot of companies (Microsoft, Apple, IBM, etc) have put considerable amount of money to solve. The solution was DRM, and now they are removing it, because it failed.
So, my answer is that you can not prevent sharing if the user is willing to put some effort to avoid it.
You can just keep the honest people honest by applying some techniques as Spikolynn or Lusid explain in their answers.

I'd suggest a table holding the files to which each user has access:
UserID int
FileID varchar
then a table for your files:
FileID UniqueIdentifier
FileType char(4) <- so you know which extension to use.
etc...
On the hard drive, name the file the FileID (UniqueIdentifier) and the FileType (the extension, eg. .jpg). The fileID in the permissions table will hold the UniqueIdentifier generated in the other table.
You can pass this via the URL knowing with relative safety that the user won't be able to guess the name of any other file.
Update: this is, by the way, much simpler than writing an HttpHandler or dealing with file permissions. However, while the chances of someone guessing another file name are infinitesimal it is not airtight security as one user may give another one access to the file.

brownpaperpackage.aspx?id={guid}
In the Load event of media.aspx, you verify the user is authenticated, then verify the user has the right to view the media, and if they do, then load the media as a stream and feed it to the page's Response as Spikolynn demonstrated.
Why do it this way? Its simple to code and you get all the benefits of ASP.NET and IIS' authentication services, from which you can find the user requesting the media. Its trivial to map that user to an access list for your media objects. And the Page has the request object right there. You're also hiding the name of the media, so you can't tell what's going on from the URL.
How do you keep people from accessing your media directly? Your media files cannot be stored in the IIS virtual directory. If they are, there's a possibility that they can be downloaded directly. You can store them in a database as a byte array (blob) or store them on disk outside of the web virtual directory. Users must go through ASP.NET to access the files
How do you keep track of what users have access to what media? You keep track of your users thorugh asp.net membership. That means each user has an ID in the aspnet_users table. Create a table for your media with an id and a filename (or a blob containing the actual media). Then you just need to create a third table that connects the two. This table would contain a user id and a media id, signifying this user can view this media. With the user id (from asp.net Membership) and the media id (from the URL) you just need to
select count(*) from UserMedia where UserId = #UserGuid and MediaId = #MediaIdFromUrl
and if the count > 0 the user can view the media.
An example of how you'd use the URL:
<asp:image
runat="server"
ImageUrl="brownpaperpackage.aspx?id=53a2ea4(snip)76ca8b" />