I am working on an old Classic ASP website and there is a directory that contents a handful of PDF documents. Is there a way to stop a user from accessing said pdf documents via a direct link (www.example.com/example.pdf) until they login? If so, how would I go about it?
Does ASP have the build in Membership provider which controls access with a couple lines in a web.config in that directory
http://msdn.microsoft.com/en-us/library/yh26yfzy%28v=vs.80%29.aspx
The following article from Microsft explains how to protect access to certain pages using classic ASP.
How To Use Simple ASP Code to Password Protect Your ASP Pages
Here are a couple of additional links, that are both for ASP.NET, but perhaps you can use the same ideas in classic ASP.
Thread: How do I password protect a sub folder of my website, to deny anonymous access?
Here's a similar article: Protecting Folders with Forms Authentication
I presume your web site already have a login infrastructure.
If not you should add it as first thing | http://www.evolt.org/node/28652.
Then create page and put it in the place of the resource you want to protect. E.g. replace http://youwebsite.com/dir1/dir2/file.pdf with http://yourwebsite.com/dir1/dir2/getfilepdf.asp.
In your new script check if the user have done log on, if not send it back to log on page.
If the user is correctly authenticated, read the file and return it to browser with Response.BinaryWrite.
The web is full of samples. Read this | http://support.microsoft.com/kb/307603.
Password protection on the page listing your documents will not prevent direct access to the documents. For example if your documents are listed by folder view or are linked from any web page then every search engine and spider on the planet already knows the document's location in your site. So here's what you can do...
Start by moving the document folder to below root level, then use FileSystemObject to deliver the document. For documents over 2-4 Mb you should deliver them in "chunks".
Now you can add a condition to your download script to verify the user's log-in status or redirect to log-in. Your comment link will now look something like:
http://somesite.com/load-pdf.asp?id=mydocuent.pdf
If you were providing a list of documents by folder view you can still do that using FileSystemObject.
Related
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I currently have a asp.net site that allows users to upload files and subsequently view them using HTTP. Is there a simple way to prevent a user from uploading a malicious script/file onto my server then attempting to run that script by calling its directory via http?
You have to remove the ASP script mapping on that particular folder.
Read the complete answer by Steve Schofield here.
I'm using forms authentication in my C# based web site, with the authentication defined in web.config files in the various folders/sub-folders. I want to write a generic administration menu system, that lists all of the admin pages that the use is authorized to open. As I add pages, I want them to automatically show up in the menu. So...
I need to obtain a list/collection of all pages that the active user is authorized to open. Is this possible in ASP.Net 3.5?
I assume that ASP.Net has an internal collection of pages somewhere, together with their required roles (as it must check somewhere when you attempt to open a page)?
I would suggest looking into using a sitemap (in ASP.Net, web.SiteMap). Then you can use the SiteMap as a datasource (as well as define roles, etc for each page).
You assume incorrectly... There is no internal listing of these pages, only the file system. Access is checked on a file-by-file basis when ASP.NET attempts to open the page.
To do what you're looking for, you'll have to code it up yourself using System.IO and getting the authorization settings from web.config.
I have a Web solution which different users from different companies logs on to the same web site, they authenticate against AD.
I use RadControls, and their upload component.
I want to be able to make the users upload documents to their folder on the server. I have granted users which belongs to a particular company full access to the corresponding folder. But I get a access permission error when trying to upload.
What is best practice for something like this?
I use IIS7, and ASP.Net 3.5
Paddy probably hit the nail on the head... but if you look at the Event Viewer entry for this exception, you can probably see what user's credentials ASP.NET is actually using to write the file.
BTW... in terms of best practice... You're on the right track. You didn't mention where this directory is located, but it should be OUTSIDE your web root. Other than that, it's all implementation details... like what do you do for name collisions?
I have a system that allows the users to download some files, the user needs to login first and then he is autorized or not to download. The download page is Download.aspx?FileId=42 and the code within this page opens the file and keeps sending small chunks to the user. We made this because we needed to guarantee that only authorized users could download.
We recently moved this system to IIS7 and it is working properly, but I don't like the idea of having a custom c# code sending the chunks to the client, so I would like to know if there is a way of when a request to file.zip is made, a custom code is executed to authorize or not, and if it is authorized, I just tell IIS7 to proceed the download instead of running the code inside Download.aspx.
Is this possible?
Thanks!
Do a redirect to the zip file. Hide the zip file in a obscure location with non-regular naming. "Security through obscurity."
IIS7 has authorization that uses Forms or Windows authentication for all file types - if it's running in integrated pipeline mode. The syntax is just like that for ASP.NET applications, but it's in a different place in web.config, <system.web>. The rules can also be added using the IIS7 admin interface. There are a couple of differences, IIS7 URL authorization evaluates rules from the parent down and deny rules take precedence.