Application uses Forms authentication and has folders with excel files. Need to prevent
unauthorized, automated scripts or bots from accessing these folders. What would be best option to prevent this?
Have the authorization node of the lockElementsattribute value set in the
Web.config file.
Have a element added to the element in the Web.config
file.
3 Use (CAPTCHA) image control on each page of the application.
4 Use Robots.txt file implemented in the root directory of the application.
Have the Excel files mapped to the ASP.NET ISAPI filter.
Or are there better options? Httmodules?
You could protect the excel files by writing a custom httpmodule and validating that they are authed via the forms auth before giving them access to the file.
In addition I would use the robots.txt file as well to exclude them. Those that follow the rules will stop looking at that point. The rest will be taken care of with the custom httpmodule.
The most secure solution would be to store your files outside of the web-tree and then serve them up via a HttpHandler. The simplest handler to create in ASP.NET would be an .ashx Handler as outlined in this blog post.
Download File
Your handler would then check the user request to ensure the user is authenticated and then stream the file back. In simplified pseudo-C# code this would be something like:
public void ProcessRequest(HttpContext context)
{
string file = context.Request["file"];
if (user.IsAuthenticated())
{
OutputFile(file, context)
}
}
private void OutputFile(string file, HttpContext context)
{
string fileContent = LoadFileFromSecureDirectory(file);
Response.Output(fileContent);
}
Map the Excel files to the ASP.NET ISAPI filter and add a
<deny> element to the <authorization> element in web.config,
Related
I have created a HTTPModule. Session information is retrieved using PreRequestHandlerExecute. It is working well for aspx pages. But while loading css/js or any image files, Session is null.
I have gone through the link ASP.NET CSS file not loaded when adding HttpModule to web.config
But could not get the implementation.
Anyone has any idea about this?
I think you'll find that your static files are being handled by the StaticFileHandler and as such wouldn't fire off session events as the session won't be being activated for efficiency purposes.
You could configure IIS to pass static files through a different handler (the PageHandler for example) but really you'd need to know if that was required first. You haven't described why you want sessions to be available for static files.
I searched high an low and still cannot find a definite answer.
How do I configure IIS 7.0 or a Web Application in IIS so that ASP.NET Runtime will handle all requests -- including ones to static files like *.js, *.gif, etc?
What I'm trying to do is as follows.
We have kind of SaaSy site, which we can "brand" for every customer. "Branding" means developing a custom master page and using a bunch of *.css and other images.
Quite naturally, I'm using VirtualPathProvider, which operates like this:
public override System.Web.Hosting.VirtualFile GetFile(string virtualPath)
{
if(PhysicalFileExists(virtualPath))
{
var virtualFile = base.GetFile(virtualPath);
return virtualFile;
}
if(VirtualFileExists(virtualPath))
{
var brandedVirtualPath = GetBrandedVirtualPath(virtualPath);
var absolutePath = HttpContext.Current.Server.MapPath(brandedVirtualPath);
Trace.WriteLine(string.Format("Serving '{0}' from '{1}'",
brandedVirtualPath, absolutePath), "BrandingAwareVirtualPathProvider");
var virtualFile = new VirtualFile(brandedVirtualPath, absolutePath);
return virtualFile;
}
return null;
}
The basic idea is as follows: we have a branding folder inside our webapp, which in turn contains folders for each "brand", with "brand" being equal to host name. That is, requests to http://foo.example.com/ should use static files from branding/foo_example_com, whereas http://bar.example.com/ should use content from branding/bar_example_com.
Now what I want IIS to do is to forward all requests to static files to StaticFileHandler, which would then use this whole "infrastructure" and serve correct files. However, try as I might, I cannot configure IIS to do this.
II7 already does that if the application pool's Managed Pipeline Mode is set to Integrated which is the default. In Integrated mode, ASP.NET handles all requests including those for static objects.
If you have to leave your application pool in Classic Mode then you need to use the same techniques you would use in IIS 6 to explicitly create handlers for the various static extensions.
Additional Information Based on Comments: I think your missing piece is creating an HttpHandler to handle the other extensions (.js, .css, etc.). Without this, then ASP.NET will use the default handling for these types of files. You would create a reference to you handler in your web.config. This article is an example of creating an HttpHandler for static files.
Kudos to everyone, but the problem was in totally different space.
VirtualPathProvider cannot be used in a pre-compiled web site. I'm furious.
I'm creating an asp.net MVC app, first time I've done this. I have a flash component I need to use in a view. I have included the SWF files etc in the Contents folder and referenced it from my view, the flash file loads when you get to the view, great.
The problem occurs because the flash file references and XML file for its configuration data, and I'm getting an error accessing that XML file. I'm guessing this is because flash is looking for a relative path and is using the URL for the page, which is obviously an MVC url and so does not refer to an actual location on disk, so the XML file is not there.
I guess the obvious answer is the alter the flash file to look in the contents folder for the XML file, but that means re-compiling the flash, and I know very little about flash so I'd like to avoid doing that. So is there any way to get the XML file to show up in the same URL as the view, so at the moment, the page with the flash component on is located at htttp://localhost/upload/ so I guess the XML file needs to be accessible from http://localhost/upload/flash-settings.xml?
If there's any other better way to do this, without editing the flash file, im open to that too,
Add this Action to the FlashUpload Controller:
public class FlashUploadController : Controller
{
[AcceptVerbs(HttpVerbs.Get)]
public ActionResult FlashSettings()
{
var fileName = Server.MapPath("~/Contents/flash-settings.xml");
return new FilePathResult(fileName, "text/xml");
}
}
And this route to the RouteTable:
routes.MapRoute("FlashSettings", "upload/flash-settings.xml",
new { Controller = "FlashUpload", Action = "FlashSettings" });
You'll need to either set the routing mechanism to allow for direct files access to the /upload/ folder, or create a Controller Action which will return an XML stream (dynamic or the one read from the physical XML file), and point your SWF to that Route. I'd go with the second option, as it is much flexible.
I want to protect the files in a specific directory so that people cannot link to them - but I still need my program to be capable of rendering them, so password protecting the actual folder won't work. Is there any way to facilitate this in ASP.NET MVC? Obviously it's more about ASP.NET, not MVC - but I can't make use of things like Session State and Postback and such...
You could put that directory outside of the web app's root directory (so that it can't be accessed using some copied URL) or into a directory where you deny any read access using a web.config file.
Then access the files through an action which requires the current user to be authorized, e.g:
public class FileController : Controller
{
[Authorize]
public ActionResult Get(string file)
{
return new File(Path.Combine(_rootPath, file);
}
}
Then you can access the files through an action URL, e.g. http://server/app/File/Get/test.txt.
My default document is in subfolder not in root how can i make it default in asp.net 2.0 website.
Tried iis7 default document setting to '/pages/default.aspx'
'~/pages/default.aspx' but it didn't work.
Default document is not the same as start page. Default document means if I requested mysite.com/somefolder and didn't specify a file, which file should IIS display.
If you want to use a specific page as your home page, create a Default.aspx file and write this in it's codebehind class:
public override void ProcessRequest(HttpContext context) {
context.Response.Redirect("pages/default.aspx", true);
}
As the client might have disabled Javascript, a server side approach would be more reliable. However it's best to issue a permanent redirect instead of a simple Response.Redirect. Also doing it using JS will be bad from a SEO point of view.
You don't need to create a dummy Default.aspx page.
In your Global.asax.cs file, write the following:
public void Application_Start(object sender, EventArgs e)
{
var routeCollection = RouteTable.Routes;
routeCollection.MapPageRoute("DefaultRoute", string.Empty, "~/YourDesiredSubFolder/YourDesiredDocument.aspx");
}
Explanation:
Application_Start code is guaranteed to run once and only once on the application start.
The first line of code, gets a collection of the URL routes for your application.
The second line of code, defines a new route pointing to your inner page in the subfolder that you wish.
The second argument is empty to indicate that this route is used when there's no specific page is requested and there's no Default document existing.
Default documents are a subfolder-specific thing - what you're trying to do won't (directly) work. Set up a default.htm file in the root, and have it refresh to your real "home page".
The better question you should be asking is how on Earth your homepage got out of the root directory.
In theory you could have a Web.config file inside the directory and use the defaultDocument element to set the default document. See here: https://stackoverflow.com/a/2012079/125938.
Unfortunately I haven't been able to get it to work myself locally, but that might be because it isn't supported in the Visual Studio development server.
Say "index.html" is the default page you want and it is present in "Public" subfolder.
Instead of specifying "/Public/index.html" as the default site, try "Public/index.html"