I have a small query. I wrote a Flex Application with PHP remoting using ZendAMF. i also made and auth system. User provides credentials and i pass them to my gateway where i have a service registered to query a SQL db and verify if the user is registered or not. Thats working perfectly. In my application i am loading MRTG graphs (PNG Files) into Image component. The GRAPHS are inside my Document Root. They are also loading well. Problem is if i type the URL path to the png file i can see it directly without any authentication. to cater that i added htaccess file to MRTG folder inside my document root. Know when i view the images inside my Flex App it asks for HTTP username and password. which i dont want.
In simple words . MRTG PNG's are inside my document root
Can i move them out of document root and still have my Flex App access them ( i tried and failed with that)
I just want the user to be able to view MRTG pngs and not directly from URL.
If you are using ZendAMF, why don't you just create a service method on your service that provides you with those images?
That way you have full control over what happens.
For example you could send them through as a byte array or a base64 encoded string, making it a lot harder to define where the image is actually stored on server disk.
Cheers
Related
Here's what I would like to accomplish:
I have a file stored in Windows Azure Blob Storage (or for that matter any file which is not on my web server but accessible via a URL).
I want to force download a file without actually downloading the file on my web server first i.e. browser should automatically fetch the file from this external URL and prompts the user to download it.
Possible Solutions Explored:
Here's what I have explored so far (and why they won't work):
Using something like FileContentResult as described here Returning a file to View/Download in ASP.NET MVC to download the file. This solution would require me to fetch the contents on my server and then stream from my server to the browser. For this reason this solution won't work.
Using HTML 5 download attribute: HTML 5 download attribute would have worked perfectly fine however the problem is that while it is really a very neat solution, it is not supported in all browsers.
Changing the file's content type: Another thing I could do (at least for the files that I own) to change the content type property of the file to something that the browser wouldn't understand and thus would be forced to download the file. This might work in some browsers however not in all as IE is smart enough to go beyond the content type and sees the file's content to determine the content type. Furthermore if I don't own the files, then I won't have access to changing the content type of the file.
Simply put, in my controller action I should be able to specify the URL of the file and somehow browser should force download the file.
Is this something which can be accomplished? If yes, then any ideas how I could accomplish this?
Simply put, in my controller action I should be able to specify the URL of the file and somehow browser should force download the file [without exposing the URL of the file to the client].
You can't. If the final URL is to remain hidden, your server must serve the data, so your server must download the file from the URL.
Your client can't download a file it can't get the URL to.
You can create file transfer WCF service (REST) which will stream your content from blob storage or from other sources through your file managers to client browser directly by URL.
https://{service}/FileTransfer/DownloadFile/{id, synonym, filename etc}
Blob path won't be exposed, web application will be free from file transfer issues.
I have build a Silverlight 5 application that allows users to drag and drop an item onto a selected area and upload them to a particular URL. Its an HTML page that references the xap file (that contains the Silverlight code) inside a div through the object tag. The purpose is that when the user drags an element into that div, the element should be uploaded to the server specified.
The problem is that for uploading the dragged item, I need to call FileInfo's getFullName() method and it requires the user to be trusted. Since the Silverlight application will run inside the div of the HTML page, I am assuming that its a case of in-browser access, and according to this article, it would require a change in the end user's IE settings. Asking the user to change his registry keys for uploading files is obviously not an option.
Is there any way out of the situation (that is, if I have understood the situation correctly) ?
You don't need to call FileInfo.getFullName() to be able to upload the file to the server. Instead, you call the FileInfo.OpenRead() method, which returns a stream that reads the file's data.
An example of using drag-and-drop with user-supplied files can be found here.
I'm working on an ASP.NET web application for our corporate intranet users. I have a form where a user should provide a path to the file on the local network (something like "\localServer\someFolder\someFile.ext") without uploading the actual file. The issue is that users don't want to type the whole file path and want to use some kind of visual browse dialog.
The standard HTML <input type=file> element allows to browse for a file, but most of the browsers (except for IE) don't allow to access file's full path, so I think it should be done by some external component like Silverlight, Flash, Java applet etc.
I tried to do it with Silverlight, but I'm getting a SecurityException when trying to access file's full path using Silverlight's OpenFileDialog class.
This java applet http://jumploader.com/demo_images.html seems to do something similar to what I'm looking for, but it's focused on uploading files - I only need to be able to get file's full path and pass it to the server as a string.
Any suggestions would be appreciated.
Telerik ASP.NET AJAX RadFileExplorer has the functionality you're looking for:
http://www.telerik.com/products/aspnet-ajax/fileexplorer.aspx
You can use their Custom File Content Provider to hook the GUI to your server's file system.
http://demos.telerik.com/aspnet-ajax/fileexplorer/examples/server-sideapi/dbfilebrowsercontentprovider/defaultcs.aspx
This should be possible with Flash's uploading capabilities. SWFUpload has an API that you may be able to access from JavaScript to extract the selected file name without actually uploading anything. See docs here, for example getFile():
getFile is used to retrieve a File Object from the queue. The file retrieved by passing in a file id (the id property from a file object) or a file index (the index property from a file object).
I've got an HTTP service I defined in Flash Builder, via the "Data Services" tab. I've got an absolute URL in there right now.
What I really want is to not define a path that includes a domain name at all--I want the service to simply call an absolute path that's on the same domain as whatever domain the SWF was served from... can I do that? When I got rid of the base URL and then gave an absolute URL path (e.g., /roster/deleteMember), Flex Builder complained that "File does not exist." Well, of course it doesn't exist, it isn't a file, it's a URL to a service call--there is no corresponding file on the filesystem.
Can anyone advise me how to do that? If I change the domain name, it wipes out all the parameter definitions for the methods, so I have to go back to each method and setup the parameters again. Rather a headache.
Now, I would have thought this would work. from the adobe documentation:
The configuration files sometimes contain special {server.name} and {server.port} tokens. These tokens are replaced with server name and port values based on the URL from which the SWF file is served when it is accessed through a web browser from a web server. Similarly, a special {context.root} token is replaced with the actual context root of a web application.
So, if you specify the endpoint as
http://{server.name}:{server.port}/{context.root}, then
automatically on runtime, the variables are set by the flashplayer depending on where you've been downloaded the application.
Sounds great... but it's not working for me. I can't even set those values in the Flash Builder Data Services tool. Here's a recording of what I'm getting.
http://screencast.com/t/MTk0NzNiYzY
I'm not sure it's possible from the DS window.
If you were doing it in code, you could use Application.application.url to get where the swf had been loaded from.
What would be the best method to implement the following scenario:
The web site calls for a image gallery that has both private and public images to be stored. I've heard that you can either store them in a file hierarchy or a database. In a file hierarchy setup how would prevent direct access to the image. In a database setup access to the images would only be possible via the web page view. What would be a effective solution to pursue?
[Edit] Thanks all for the responses. I decided that the database route is the best option for this application since I do not have direct access to the server. Confined to a webroot folder. All the responses were most appreciated.
Having used both methods I'd say go with the database. If you store them on the filestore and they need protecting then you'd have to store them outside the web-root and then use a handler (like John mentions) to retrieve them, anyway. It's as easy to write a handler to stream them direct from database and you get a few advantages:
With database you don't need to worry about filestore permissions or generating unique filenames or folder hierarchies etc.
With database you can easily apply permissions and protection directly - no trying to work out who can view what based on paths etc.
With a database you can store the image and metadata all together - when you delete the metadata you delete the image - no possibility of orphaned records where you delete from database but not from filestore
Easier to back-up database and images and then restore
The disadvantage is that of performance, but you can use caching etc. to help with that. You can also use FILESTREAM storeage in SQL Server 2008 (and 05?) which means you get filesystem performance but via the DB:
"FILESTREAM integrates the SQL Server
Database Engine with an NTFS file
system by storing varbinary(max)
binary large object (BLOB) data as
files on the file system. Transact-SQL
statements can insert, update, query,
search, and back up FILESTREAM data.
Win32 file system interfaces provide
streaming access to the data.
FILESTREAM uses the NT system cache
for caching file data. This helps
reduce any effect that FILESTREAM data
might have on Database Engine
performance. The SQL Server buffer
pool is not used; therefore, this
memory is available for query
processing."
Using file hierarchy, you can put the files out of the website file folder, for example, suppose the web folder is c:/inetpub/wwwroot/somesite, put the file under c:/images/, so that the web users won't be able to access the image files. but you cannot use the direct link in your website neither, you need to create some procedure to read the file, return the stream.
personally I think it's better to put the file in the database, still create some procedure to retrieve the binary image data and return to wherever it needed.
In reality both scenarios are very similar, so it's up to you... Databases weren't designed to serve files, but if the size isn't really a concern for you, I don't see a problem with doing it.
To answer your question about direct access, you'd setup the file images the same way you would for the database: You'd use some sort of page (probably a .ashx handler) that serves the images, allowing you a layer of logic between the user and image to determine whether or not they should have access to it. The actual directory the images are located in would then need to either a) not be part of the directory structure in IIS or b) if it is part of IIS, only allow windows authenticated access, and only allow the account the application process is running under access to the directory.
If you're using IIS7, since .net jumps in the pipeline early I believe you can protect jpg files as well, just by using a role manager and applying roles to file system folders. If you're using IIS6, I've done something similar to the answer by John, where I store the actual file outside of the wwwroot, and use a handler to decide if the user has the correct credentials to view the image.
I would avoid the database unless you have a strong reason to do this - and I don't think a photo gallery is one of them.
Neither. Amazon S3 offers a very simple API for accepting uploads. You can use SimpleDB or your SQL database to track the URLs and permissions. Set the entire S3 bucket to private, and authenticate to it using your AWS key on the ASP.NET server.
Very little code is required to upload to S3, and very little more would be required to perform bookeeping in SQL.
Once they're in S3, grab the image resizer library and the S3 Reader plugin and you can have your entire system running in under an hour. And - it will scale properly. No disk or database space limits. Ever.
You can implement authorization using the AuthorizeImage event of the Image Resizer library. Just throw an AccessDeniedException if access isn't allowed for the current user.
If you want to tune performance a bit mare, add both the DiskCache and CloudFront plugins. CloudFront can edge-cache the public images (inexpensively), and DiskCache will handle the private images, serving them at static-file speeds.