We have some requirements where we want to allow our clients/ users to download files/ folders from our file server via browser/ web.
We have a many different directories created on our file server which is mapped to different clients. Which means that, every client has its own directory on our server. We have a main (root) directory for every single client/user. Which means that, every client’s files/folder are created under their respective main directory.
The only thing we need be sure is, whenever our client make a request to access/ download file, first we need to validate their credential (username/password are stored in our SQL server DB) and then we need to allow only those folder which is mapped for specific folder. (The folder mapping is again stored in our SQL server DB)
Which means that, after applying the credential by user/clients, they can only access their directory/ files. They cannot access other’s files/ directory.
Would anybody please do let me know how would I achieve this? All the suggestions would be appreciated highly.
Thanks in advance.
Since different users need to be authorized to access different directories, you cannot expose your files directly on the web.
Build a simple login with a custome MembershipProivder. That will allow you to autenticate against your database.
Since you know which directories the user has access to, you can fetch a listing of files and folders and present it in a ListView to the user.
You can write a HttpHandler to check user authorization and then serve the files to them.
Related
I have an asp.net application which does the following: loads data about audio files (file name, path and so on) from DB and shows them in table on the page. Application uses windows authentication (this cannot be changed).
I've added html 5 audio controls to my table cells so that users could play audio files without downloading them - actually, I don't want them to be able to download files at all.
Audio files come from two network-shared directories - one is accessible by all domain users, the second one is accessible only to specific user. Audio control requires the src to be a relative url - ok, fine, so I went to IIS manager and created two virtual directories under my application. For the second, highly protected directory, I'd set credentials which should have helped my application to access files.
Result seems quite strange to me: users see audio files from the first (accessible) directory preloaded and can play them; users cannot preload and cannot play files from the second directory with preset credentials.
Problem is definitely not in the audio src itself - it is well-formed. Seems like IIS is trying to access data in the second virtual directory under credentials of current domain user and not the one, whose login and password were set on folder setup.
Is there any way to overcome this problem? Unfortunately, granting access to this directory to all users is not a chance. Changing app pool identity to that same specific user also gave no results. App users and user account for the second folder are all in the same domain.
IIS access file via application pool identity not login user. So when you are running an application with network share directory, please change the app pool identity to a domain user that have permission to access both. Then you can restrict login user permission via authorization rule.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.
I'm uploading files into a folder. It works as it should when I run the solution locally, but when I've uploaded the site to the web server using "copy website", - I can no longer upload files to the folder.
Can I change the permissions somehow?
It depends is the user that is trying to upload the file(s) into that directory on the server have permissions to that folder on the server, eg: read/write, ect... Also is the user that will be using that program on the server is running the application as themselves or as the IIS User account, or some other dedicated account?
Update:
Since you are doing it through the VPN, try terminal serving to that server and if you have personally permissions to make this change as in give permissions then do it yourself or ask the admins to do it for you.
Depending on the folder you are uploading your files into and the account you have configured the web server to execute your application under, there might be different ways to achieve that. But basically you should rant write access to this account to the given folder you are saving the uploaded files into. But if you use some of the special ASP.NET folders such as App_Data for example to store the uploaded files, the account should already have write permission to that folder. And if you have uploaded your site to some hosting company that don't provide you the possibility to change permissions on the different folders that are part of your website you might need to contact the support so that they perform he necessary modifications that you need.
I have created an ASP.Net application using .Net framework 4.0. I need to save an xml file on any location on same server (if file not already exists) and want to access then after always. But I dont want to set write permission to any folder.
Is it possible to write a file to any location for Network service account without specifying write permission?
Does Network service account have default write permission to any location?
Thanks,
Jitendra Biyani
You should always be able to write to %TEMP%. (Call Path.GetTempPath())
However, you should not be writing files to disk if you can avoid it.
What are you trying to do?
Typically if I ever need to do something like this I run an application under a domain user account and grant permissions to the output folder just for that particular user.
Say you have public ASP.NET (and Classic ASP) applications on IIS with a script/page that needs to write or update html files in a specific folder that is located within the web publishing folder tree.
What is the proper way to handle this and exactly how do you do it? (i.e. set directory permissions in IIS or windows explorer)
My main concern is that I want to let the ASP/ASP.NET apps write to a folder, but I don't want regular http users to be able to put files into it directly via HTTP PUT.
You'll want to set your NTFS permissions as follows:
IUSR_<MachineName> - The anonymous user should only have READ access
Network Service (or App Pool identity) - READ and WRITE access
With these permissions, you can most likely safely remove the Everyone and Authenticated Users accounts from the ACL as well.
More info:
http://support.microsoft.com/kb/815153
Don't enable writing in IIS--that only speaks to HTTP PUT, not underlying filesystem permissions. Then do what gattaca said.