I need to make the authentication method of my ashx files to Basic Authentication. I set the applications authentication method as Basic Authentication. All files on the application asks for user name and password except ashx files.
I read a lot on Google and Stack Overflow but had no proper answer which works. How can I add .ashx files to the list??
Thanks in advance
telmessos
Related
I have some code code in App_Code that I want to expose via standard ASP pages/Forms authentication, as well as Web Services/Basic Authentication. Currently the folder layout is something like
MySite
MyPage.aspx
App_Code
-> Mycode.cs
Services
-> MyWebService.asmx
I understand that if I want Basic authentication for the web service, and forms for the normal pages, I need to convert the "Services" directory to an application in IIS. But once that's done how to I add a reference to the Web Service back to all the code in the root App_Code folder? (without it, I just get missing reference errors when connecting to the asmx page)
The only way that I've found to get this to work is to copy the App_Code & bin directories into the Services application. However, that causes problems for my app, and seems like a big hack to be honest.
I've decided to go a different route and write a single custom authentication module that combines Forms authentication and Basic authentication. That way I dont need to split the application, and I can have fine-grained control over which pages/directories I want to accept Basic, and which I want to accept Forms.
More info here: Combining Forms Authentication and Basic Authentication
My question is, Can I Check session before allowing user to view a file, e.g:
http://www.somedomain/pdf/dummy.pdf
When user clicks on this url I want to check whether the session is valid or not, If session is valid allow user to view/download the file otherwise take the user to Login page.
Thanks.
You can write HttpHandler and set it to process *.pdf files. IHttpHandler.ProcessRequest method has access to HttpContext so you can access session information and do pretty much all you want...
How to setup handler for PDF files depends on IIS version but here's an example of doing it via Web.config file for IIS 7 in integrated mode. For versions prior to 7, Web.config file change is not enough, you also have to use IIS Manager to map extension to Aspnet_isapi.dll. Look here and here for details.
Your question is a bit vogue. Maybe you don't want to access HttpSessionState, instead you just want to use standard ASP.NET URL authentication on static files (such as PDF)? If so, search for "ASP.NET authorization for static files", this is quite popular topic.
This is what I wanted to do. Thank to: #skhurams
http://www.mikesdotnetting.com/Article/122/Simple-File-Download-Protection-with-ASP.NET
If I have a url as part of my website that points to a document:
https://test.abc.com/admin/reports/company.pdf
is there any way to prevent someone from just going to that URL if they are not logged/authenticated into our site?
The site has its own login username/password mechanism that was implemented where users log in.
Alas, sorry. IIS 5.0 under Windows 2003
IIS will not protect a .pdf. What you have to do is register the .pdf extension with a .ashx that servers the file. The .ashx will require authentication and then regular .net authentication can kick in.
This post describes how to do it in detail.
http://www.devx.com/codemag/Article/34535/1954
I have ASP.NET project which do some file access and manipulation, the methods which I use for file access are below. Now I need to access files on another server shared folder, how to do that? I easily can change file path to shared folder path but I get "can't access" error because shares are password protected.
As I understand I need somehow to send credentials to remote server before executing methods below. How to do that?
FileStream("c:\MyProj\file.doc", FileMode.OpenOrCreate, FileAccess.Write)
Context.Response.TransmitFile("c:\MyProj\file.doc");
Regards,
Tomas
An ASP.NET application (by default) will execute in IIS6 under the "ASPNET" computer account. You therefore have a couple of options:
Configure your ASPNET application to run under a (weak) domain account with permissions to access the remote computer's share
Set the permissions on the share to enable access to "Everybody" (not recommended)
Disable Forms authentication and use Windows authentication in your ASP.NET app. Turn off impersonation in web.config and IIS should pass the credentials of the user who is currently using your web application through to the underlying share (I think).
The latter option is only useful, of course, if your users all have domain accounts on your intranet, for instance. I'll continue to look around for ways to add credentials but I'm not sure off the top of my head if that's possible.
HTH,
Richard.
I have a system that allows the users to download some files, the user needs to login first and then he is autorized or not to download. The download page is Download.aspx?FileId=42 and the code within this page opens the file and keeps sending small chunks to the user. We made this because we needed to guarantee that only authorized users could download.
We recently moved this system to IIS7 and it is working properly, but I don't like the idea of having a custom c# code sending the chunks to the client, so I would like to know if there is a way of when a request to file.zip is made, a custom code is executed to authorize or not, and if it is authorized, I just tell IIS7 to proceed the download instead of running the code inside Download.aspx.
Is this possible?
Thanks!
Do a redirect to the zip file. Hide the zip file in a obscure location with non-regular naming. "Security through obscurity."
IIS7 has authorization that uses Forms or Windows authentication for all file types - if it's running in integrated pipeline mode. The syntax is just like that for ASP.NET applications, but it's in a different place in web.config, <system.web>. The rules can also be added using the IIS7 admin interface. There are a couple of differences, IIS7 URL authorization evaluates rules from the parent down and deny rules take precedence.