Prevent a file (pdf) from being served in asp.net - asp.net

I've got a legacy flash app (no access to the source) that when it completes it opens a pdf in a new window automatically.
Is there some way to prevent this one file at this one specific location from opening (again, keeping in mind I cant edit the flash)
So it opens to http://site.com/Files/Video/Completion.pdf directly in the browser, no handler or anything to change.

You can drop a web.config in that folder which will prevent the files from being accessed unless they are in a specific role:
<configuration>
<system.web>
<authorization>
<allow roles="WHATEVER-ALLOWED-ROLES"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
If you only want to lock down that specific file you can wrap that <system.web> with <location path="filepath-and-name">
This will likely require you to add the following handler to your root web.config in the "handlers" section, as usually IIS will serve up the file before ASP.NET touches it. This will make PDFs go through ASP.NET which can then handle the Role restrictions from above:
<add name="PDFHandler-Integrated" path="*.pdf" verb="GET" type="System.Web.StaticFileHandler" modules="ManagedPipelineHandler" requireAccess="Script" preCondition="integratedMode" />

You could lock the file down on the web server or delete it? If you can't alter the source you can't prevent the window.open from happening, but you can prevent the delivery.

Related

Url Authorization with MVC and ASP.NET Identity

I want to secure specific folders and resources in my application that are outside of the routes for my mvc application. I want these resources to only be available to authenticated users (which role is not of concequence as long as they are authenticated).
Initially it seemed that the UrlAuthorizationModule would be the answer. I followed this article, Understanding IIS 7.0 URL Authorization, and I can get the module to work in the sense that it responds to the configuration elements in the web.config.
My current problem is that I think it is enacting the rules based on the anonymous user in IIS and not the authenticated user in asp.net identity.
Test Environment
I use a standard html file for testing instead of trying to load a script as this would also be loaded outside of the MVC pipeline.
In Visual Studio 2015.
New default .net 4.6.2 web project
MVC template
Authentication = Individual User Accounts
IIS 8 (for testing outside Visual Studio)
Authentication -> Anonymous Authentication (enabled)
Add to web.config
<configuration>
...
<location path="Data">
<system.webServer>
<security>
<authorization>
<clear/>
<add accessType="Deny" users="*"/>
<add accessType="Allow" users="?"/>
</authorization>
</security>
</system.webServer>
</location>
...
</configuration>
Add to folder structure
/Data/Protected.html // this file just has some basic Hello World content to display so you can see if it is loaded or not.
Observed Results
With this configuration everything in the Data path is always denied, it does not matter if the user is authenticated or not.
The same is true if I switch the 2 lines for Deny and Allow in the web.config.
If I completely remove the line with Deny then access is always allowed even when the user is not authenticated.
If I add a role and use roles with the role name instead of users attribute the role is also completely ignored.
Now What?
What am I missing? How can I get the Url Authorization module to work with MVC/WebAPI and ASP.NET Identity Individual user accounts or is this simply not doable?
I am open to alternative ideas as well, maybe the answer is to write a custom HttpModule or HttpHandler?
Side notes
Why & Specifics
These resources are javascript files, in short only a portion of the scripts should be available to unauthenticated users. There are 2 directories in the root, one for the authenticated part of the app and one for the non-authenticated part of the app. The reason for this has nothing to do with user authorization or security in the application, it is to limit the exposed surface area of the application to non-authenticated requests.
[TL;DR;]
Go to "Complete root web.config" section to see the needed web.config setup.
Test this in incognito-mode to prevent browser caching issues!
And use Ctrl+F5 because scripts and html files get cached.
First deny access to all anonymous users in the root web.config.
<authorization>
<deny users="?"/>
</authorization>
The web.config here allows one folder to be publicly accessible. This folder, in my example here, is called css and sits in the root of the MVC application. For the css folder I add the following authorization to the root web.config:
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
You can add more of these location paths if you want more public folders.
While all other files will not be accessible until the user logs in, the css folder and its contents will always be accessible.
I have also added a static file handler to the root web.config, This is critical as you want the request to be managed by the asp.net pipeline for the specific file type(s):
<handlers>
<add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
</handlers>
Complete root web.config
<system.web>
<authentication mode="None" />
<authorization>
<deny users="?"/>
</authorization>
<compilation debug="true" targetFramework="4.6.2" />
<httpRuntime targetFramework="4.6.2" />
</system.web>
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
<handlers>
<add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
</handlers>
</system.webServer>
ASP.NET by default will only apply the allow and deny rules to files handled by the managed handler. Static files are not managed by the managed handler.
You could also set: (Don't do this, if not really needed!)
<modules runAllManagedModulesForAllRequests="true">
With runAllManagedModulesForAllRequests="true" all the HTTP modules will run on every request, not just managed requests (e.g. .aspx, ashx). This means modules will run on every .jpg ,.gif ,.css ,.html, .pdf, ... request.
One important thing
You don't have to add the UrlAuthorizationModule to the modules section as it is already part of the ASP.NET pipeline. This means, it will run only for managed files, not static!
If you now remove and then re-add the UrlAuthorizationModule to the modules section, it will run under precondition "integratedMode" and not under "managedHandler" anymore! And will therefore have access to static files.
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
If you set the precondition to managed:
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="managedHandler" />, then the UrlAuthorizationModule will not restrict access to static files anymore.
You can test this by accessing a script file in the scripts folder successfully while being logged out. Hit Ctrl+F5 to make sure you get a fresh copy of the script file.
Difference between ASP.NET UrlAuthorization <--> IIS URL Authorization
It is important to keep in mind that the managedHandler precondition
is on the ASP.NET UrlAuthorization module. The precondition tells you
that the URL authorization module is invoked only when the code that
handles the request is mapped to managed code, typically an .aspx or
.asmx page. IIS URL Authorization, on the other hand, applies to all
content. You can remove the managedHandler precondition from the
ASP.NET Url Authorization module. It is there to prevent a performance
penality you have to pay when every request (such as a request to
.html or .jpg pages) would have to go through managed code.
P.S.: Some web.config attributes are case sensitive!

Trying to block access to file

Ok, I have an asp.net application and inside this application, I have a folder with excel files. These excel files contain protected information, and should not be publicly viewable. I'm trying to make it so that someone could not type in the hyperlink of one of the files and view the data.I have a web.config file inside the directory that I am concerned about. It reads
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
but it doesn't work, and the files are still accessable. How would I accomplish this?
I'm also not using ASP.NET Membership roles in my application, and I just want to allow access to the files once someone is authenticated. How would I allow them access?
I'm hosting this on IIS 8.
Well, it looks like I should have just researched a little longer. Adding:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
To my application's main Web.Config seems to have done it.

ASP.NET Roles and Membership

I am quite new to ASP.NET technologies
<configuration>
<system.web>
<authorization>
<allow roles="Agency,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I have the above web.config for a folder, there is a requirement to give an elevated priviledge to some users in Agency role to access a page called AddOrganisation.aspx.
To solve this, I think I can add the following markup to the web.config but this will be static
<location path="AddOrganization.aspx">
<system.web>
<authorization>
<allow users="wale, etc, etc"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
How can I enable adding users programmatically instead of updating the web.config for each change?
I will be grateful for your responses. Thank you
You should not make changes the web config at runtime, this will restart your application, every time you add a user. MSDN says this
Configuration Changes Cause a Restart of the Application Domain
Changes to configuration settings in Web.config files indirectly cause
the application domain to restart. This behavior occurs by design. You
can optionally use the configSource attribute to reference external
configuration files that do not cause a restart when a change is made.
For more information, see configSource in General Attributes Inherited
by Section Elements.
Instead you should give those users a different role, so that only those users can access the
"AddOrganisation.aspx" page.
Or else you can also do another thing if you dont want to create another role for these users. You keep on adding these users to a table and whenever a request is made to the page you can check if the users name is present in the table or not and then allow/deny the user.

Blocking static content in MVC 3

What's the best way to prevent users from downloading specific files in my Content directory?
Should I add a Web.config to /Content, like I already have in /Views?
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<httpHandlers>
<add path="SecretFolder/*" verb="*" type="System.Web.HttpNotFoundHandler" />
<add path="SecretFile.pdf" verb="*" type="System.Web.HttpNotFoundHandler" />
</httpHandlers>
</system.web>
</configuration>
Or should I create a custom routing rule?
Or is there an even better way?
This is exactly what the <authorization> element is for in web.config. This will give you granular control over what users can see which files. You can provide as little or much control as you need.
<location path="SecretFolder">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
However, this assumes that you are implementing ASP.NET authorization using IPrincipal, which I would recommend if you need this sort of control over your content.
Basically exactly as you have above - AS LONG as you don't have another route that would get to this via a controller. Judging from the file types and structure this doesn't seem to be the case (a concern is that you have two routes going to the same file - and using the authorization elements in a web.config is recommended against in MVC specifically for this reason)
You want to use exactly what is already used by MVC.
See the integration of "HttpNotFoundHandler" into your web.config at (I know.. you already have it) :
http://completedevelopment.blogspot.com/2011/06/using-views-outside-of-views-or-other.html
This is how content inside of your /Views folder is already blocked - so this is already 'mvc-ish'

Forms authentication for xml files

I was wondering if you could protect xml files through forms authentication in ASP.NET 3.5.
I have some licensekeys that are found online, but you shouldn't be able to download them unless you are logged on.
For aspx pages this works automatically but not for xml files.
Place the xml files in a certain folder, add web.config to this folder containing:
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<allow roles="admin"/>
</authorization>
</system.web>
</configuration>
Change the '?' (which means anonymous users - i.e. not logged in users) to '*' in order to deny all users (the server will have access [e.g. via Server.MapPath etc.]).
Respectively you can play with the roles or remove this line.
Also, consider that in the web.config file you can deny and allow specific extensions as follows:
<system.web>
<httpHandlers>
<remove verb="*" path="*.xml" />
<!--or-->
<add verb="*" path="*.xml" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>
</system.web>
Please don't rely on this last snippet till you make sure what are your needs.
You can find out more on Http Handlers, or take a look at How to: Register HTTP Handlers.
I also noticed someone asked a similar question here, you may find it helpful.
Hope you to find your quickly find your solution, good luck!

Resources