i have a folder in my asp.net app conatining doc files that can be accessed only (dowwload) by a certain type of connected users(admin account or permitted other accounts)
how can i do that?
any ideas?
thanks in advance.
The App_Data folder in .NET is protected, and therefore ideal for this very purpose. I normally put sensitive files in here then have a page "ViewDoc.aspx" that performs the security checks and then sends the file to the user (using Response.Write).
Put sensitive files outside of web site root, so they can not be accessed by URL.
After that, use this HttpHandler (written in VB.NET) to serve files:
Public NotInheritable Class FileHandler
Implements IHttpHandler
Public ReadOnly Property IsReusable() As Boolean Implements System.Web.IHttpHandler.IsReusable
Get
Return False
End Get
End Property
Public Sub ProcessRequest(ByVal context As System.Web.HttpContext) Implements System.Web.IHttpHandler.ProcessRequest
If Not String.IsNullOrEmpty(context.Request.QueryString("FileName")) Then
Dim fileName As String = context.Request.QueryString("FileName")
Try
Dim filesPath As String = "D:\TheFiles\"
Dim fileInfo As New IO.FileInfo(filesPath & fileName)
If fileInfo.Exists Then
Dim fileExt As String = fileInfo.Extension.Remove(0, 1).ToUpperInvariant
If fileExt = "JPG" Then
context.Response.ContentType = "image/jpeg"
Else
context.Response.ContentType = "image/" & fileExt
End If
context.Response.TransmitFile(fileInfo.FullName)
End If
Catch ex As Exception
End Try
End If
End Sub
End Class
and register this handler in your web.config like this:
<httpHandlers>
<add verb="*" path="secfile.axd" type="MyApp.FileHandler, MyApp" validate="false"/>
</httpHandlers>
use like this:
<a href="secfile.axd?pic=sample.jpg" />
Remember adding your file types to handler and change response.contenttype by type of your file.
Using a handler is not the only way, you can use context.Response.TransmitFile(fileInfo.FullName) in your aspx file.
A simple way to do this is to NOT put these documents inside a folder of your ASP.NET app and instead, put it somewhere else in the file system that can't be accessed directly from the browser. Then programmatically, you can serve the file to the user if s/he's authorized to do so.
Related
I'm trying to make a HTTPHandler that will authenticate certain static resources, PDF Files in this case.
I've added the following to my web.config:
<configuration>
<system.web>
<httpHandlers>
<clear />
<add path="*.pdf" verb="*" validate="true" type="AuthenticatedStaticResourceHandler" />
</httpHandlers>
</system.web>
</configuration>
Here's my HTTPHandler class:
Imports Microsoft.VisualBasic
Public Class AuthenticatedStaticResourceHandler
Implements IHttpHandler
Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest
Dim resource As String = String.Empty
Select Case context.Request.HttpMethod
Case "GET"
resource = context.Server.MapPath(context.Request.FilePath)
If Helpers.User.CanAccessPath(context.Request.FilePath, context.User.Identity.Name) Then
SendContentTypeAndFile(context, resource)
Else
FormsAuthentication.RedirectToLoginPage()
End If
End Select
End Sub
Public ReadOnly Property IsReusable As Boolean Implements IHttpHandler.IsReusable
Get
Return False
End Get
End Property
Private Function SendContentTypeAndFile(ByVal context As HttpContext, ByVal file As String) As HttpContext
context.Response.ContentType = GetContentType(file)
context.Response.TransmitFile(file)
context.Response.End()
Return context
End Function
Private Function GetContentType(ByVal filename As String) As String
'Used to set the encoding for the reponse stream
Dim resource As String = String.Empty
Dim file As System.IO.FileInfo = New System.IO.FileInfo(filename)
If file.Exists Then
Select Case file.Extension.Remove(0, 1).ToLower()
Case "pdf"
resource = "application/pdf"
Case "jpg"
resource = "image/jpg"
Case "gif"
resource = "image/gif"
Case "png"
resource = "image/png"
Case "css"
resource = "text/css"
Case "js"
resource = "text/javascript"
Case Else
resource = String.Empty
End Select
End If
Return IIf(resource.Length > 0, resource, Nothing)
End Function
End Class
I've set a breakpoint on the Select Case context.Request.HttpMethod line in ProcessRequest, however when I try to access http://localhost/subfolder/subfolder/some.pdf the breakpoint is not triggered. Further, the example PDF I'm attempting to access is buried in a folder that I should not have access to, yet the PDF is served.
This leads me to believe that my HTTPHandler is not being called.
Am I missing something? What am I doing incorrectly?
Most likely, you have to add one extra part to your web.config to support all versions of IIS.
For IIS7 and higher, you need to register your handler in the system.webServer section:
<system.webServer>
<handlers>
<add ... />
</handlers>
</system.webServer>
[ASP.NET 4.0 Visual Studio 2010]
Hi I am new to ASP.NET and am just trying to:
Create a Generic Handler so my Server-Side image control can reference it like Image1.ImageUrl = "~/ImageHandle.ashx"
Pass the name of a file in my Dropbox account through the query, which is the image file's name (jpeg)
Rotate the image and serve it back to my calling code.
But I am really new and this is all I have, I don't know what i am doing wrong.
Public Class ImageHandle
Implements System.Web.IHttpHandler
Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest
Dim imgurl As String = "https://dl.dropbox.com/u/134313/Duel%20Portal%20Info/Images/" & context.Request("file").Replace("_", "%20") 'Number Changed for privacy reasons
context.Response.ContentType = "image/jpeg"
Dim img As System.Drawing.Image = Nothing
Dim webc As New Net.WebClient, theBytes() As Byte
Try
theBytes = webc.DownloadData(imgurl)
img = Byte2Image(theBytes)
img = Rotate90Degrees(img)
Catch ex As Exception
End Try
img.Save(context.Response.OutputStream, System.Drawing.Imaging.ImageFormat.Jpeg)
End Sub
End Class
The image just doesn't show up. ImageHandle hits no breakpoints at all.
Also I have no idea how to format web.config and include this. Help is much appreciated.
EDIT: This is my Web.Config so far. Still not working!! Please help!
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<handlers>
<add name="ImageHandle" path="~/ImageHandle.ashx" verb="*"/>
</handlers>
</system.webServer>
I have a webform application. It required to be able to upload large file (100MB). I intended to use httpHandler and httpModule to split the file to chunk.
I also had a look at http://forums.asp.net/t/55127.aspx
But it is a very old post and I've seen some example on the internet using httpHandler.
e.g. http://silverlightfileupld.codeplex.com/
I'm not sure httpModule is still better then httpHandler.
Since httpModule apples to the request of the whole application, and I just want it apply to specify page.
Can anybody explain the shortcoming of httpHandler for large file upload clearly (if it has)?
If you know a good example without flash/silverlight , could you post the link here? thx
Edit: Would Like to see some Source Code example.
Why not try plupload which has lot of features with many fallbacks and here how it is done.
This is the http handler code:
Imports System
Imports System.IO
Imports System.Web
Public Class upload : Implements IHttpHandler
Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest
Dim chunk As Integer = If(context.Request("chunk") IsNot Nothing, Integer.Parse(context.Request("chunk")), 0)
Dim fileName As String = If(context.Request("name") IsNot Nothing, context.Request("name"), String.Empty)
Dim fileUpload As HttpPostedFile = context.Request.Files(0)
Dim uploadPath = context.Server.MapPath("~/uploads")
Using fs = New FileStream(Path.Combine(uploadPath, fileName), If(chunk = 0, FileMode.Create, FileMode.Append))
Dim buffer = New Byte(fileUpload.InputStream.Length - 1) {}
fileUpload.InputStream.Read(buffer, 0, buffer.Length)
fs.Write(buffer, 0, buffer.Length)
End Using
context.Response.ContentType = "text/plain"
context.Response.Write("Success")
End Sub
Public ReadOnly Property IsReusable() As Boolean Implements IHttpHandler.IsReusable
Get
Return False
End Get
End Property
End Class
I'm working on a site that I've inherited that's built with ASP.Net, which I'm only slightly familiar with. One of the pages allows for a link to a document (word or pdf) that, when clicked on, prompts the user to save or open the file, but does not reveal the true path of the file. This way it prevents users from pasting a url to a file - the link is to an aspx file that checks for a valid session, and then retrieves the file.
Anyway, because there's a lot of legacy code, I need to do this with a bunch of static htm files as well, however these files need to be displayed rather than prompting the user to save them, which is what happens now. I tried changing the content type to application/text, application/html, text/html, etc. and that didn't work, then tried adding a response header of content-disposition inline. When I do that, build, and try linking to the file, I get a couple of runtime exceptions:
[FormatException: Input string was not in a correct format.]
Microsoft.VisualBasic.CompilerServices.Conversions.ParseDecimal(String Value, NumberFormatInfo NumberFormat) +206
Microsoft.VisualBasic.CompilerServices.Conversions.ToLong(String Value) +110
[InvalidCastException: Conversion from string "inline; filename=\" + myFile + " to type 'Long' is not valid.]
Microsoft.VisualBasic.CompilerServices.Conversions.ToLong(String Value) +428
cmswebasp.CMSModdoclinks.DownloadFile(String file) +1704
cmswebasp.CMSModdoclinks.Page_Load(Object sender, EventArgs e) +625
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +50
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
Here's a snippet of code from the page:
Response.AddHeader("Content-Disposition", "inline; filename=" & file)
Dim fi As New FileInfo(myFile)
Response.AddHeader("Content-Length", fi.Length)
Dim contentType As String = ""
Dim fileExt As String = file.Split(".")(1)
Select Case fileExt
Case "htm"
contentType = "application/text"
Case Else
contentType = "application/octet-stream"
End Select
Response.ContentType = contentType
Response.WriteFile(myFile)
Do I have to do something with an htmlwriter object or something? Can't I just have it open a new browser window with the file displaying or does it have to prompt the user if used in this way??
Scrap the full page (.aspx) approach in place of using a generic handler (.ashx). An .aspx page is going to do a lot of built-in loading to initialize all the state that would normally be used in an ASP.NET web page, while the generic handler only initializes the bare minimum to send output back out to the client.
You will need to also implement System.Web.SessionState.IRequiresSessionState to get your session state when using a generic handler, as it does not load the session state by default.
An example:
Public Class FileWrapper
Implements System.Web.IHttpHandler, System.Web.SessionState.IRequiresSessionState
Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest
' Validate session...
' Set output content type based on extension of requested file
Dim fileName As String = context.Request.QueryString("file")
Dim fileExt As String = fileName.Split("."c)(1).ToLowerInvariant()
Select Case fileExt
Case "htm", "html"
context.Response.ContentType = System.Net.Mime.MediaTypeNames.Text.Html
Case Else
context.Response.AddHeader("Content-Disposition", "attachment; filename=" & fileName)
context.Response.ContentType = System.Net.Mime.MediaTypeNames.Application.Octet
End Select
context.Response.WriteFile(fileName)
End Sub
ReadOnly Property IsReusable() As Boolean Implements IHttpHandler.IsReusable
Get
Return False
End Get
End Property
End Class
Note: If hosting on IIS 7, you will need to remove any <httpHandler> registrations from <system.web> and register them instead as <handler> registrations in <system.webServer>.
Such as (correct as necessary to use your namespace):
<system.webServer>
<!-- For IIS 7 -->
<handlers>
<add name="FileWrapperHandler" path="FileWrapper.ashx" verb="*" type="MyNamespace.FileWrapper"/>
</handlers>
</system.webServer>
Another Note: If you are developing for a IIS 7 host using Integrated pipeline (default for IIS 7), then I would suggest using (and installing if necessary) the IIS Express option for your web project. This would be found going into Properties for your web project, the Web tab from left, then in the Servers section, select Use Local IIS Web Server radio button, and check Use IIS Express below.
This will put your development environment more in sync with how your production environment will behave.
After some discussion, it appears that you may be best served using a lobotomized Page after all, instead of a generic handler, due to the possibility of users coming to the site via links within Word documents or other sources outside the browser.
We've found that the aspx page is able to recover session in this instance, whereas the ashx does not. Thus, I am providing code for an aspx solution:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
' Validate session...
' Set output content type based on extension of requested file
Dim fileName As String = Request.QueryString("file")
Dim fileExt As String = fileName.Split("."c)(1).ToLowerInvariant()
Select Case fileExt
Case "htm", "html"
Response.ContentType = System.Net.Mime.MediaTypeNames.Text.Html
Case Else
Response.ClearHeaders()
Response.AppendHeader("Content-Disposition", "attachment; filename=" & fileName)
Response.ContentType = System.Net.Mime.MediaTypeNames.Application.Octet
End Select
Response.WriteFile(fileName)
Response.Flush()
Response.Close()
End Sub
It doesn't matter whatever is placed in the aspx markup itself, since none of that will get rendered anyway.
Just a note that this may cause some log entries on the web host about trying to "access a closed stream" since we have closed the response stream, but the page will continue processing as usual. That's one of the prices to pay for essentially hijacking the normal page flow.
The server might be throwing out your manually-set content-type header when you call Response.WriteFile(). Find out what the actual content-type header is when the client receives it. Firebug will tell you if you look under its Net tab.
If this is the case, try setting Response.ContentType after calling Response.WriteFile(). Alternatively, you could try reading the file into a string and use Response.Write() instead of WriteFile.
I am trying to make a file upload interface in ASP.NET webforms and am looking for some advice on how to proceed.
The file upload interface is part of a website I am making on which users can post adverts. The interface is part of the "create a new advert" and will enable the user to upload up to 6 images. I am using only the asp.net FileUpload server control as I am trying to make a control which will work when users have javascript disabled. That's the background.
The upload for all 6 files occurs on button click. This stores the files in a temp folder (/UserUploads/temp) until the user submits the form in which case the files are moved to the /UserUploads folder and the references in the database or until the user hits the cancel button or navigates away in which case the files are deleted.
First question is: Is storing the files in a temp directory the right way to go about this? Or is there some better way of keeping the temp files on the server until the parent form is submitted? The only alternative I can think about is saving the files to the session, but that seems like a recipe for killing the server...
Second question: I am unclear what to do when the user just closes the browser window. I want to avoid ending up with a mess of orphaned files in the temp directory. Is there some way to make sure that all the files will get cleared out if the user doesn't go through with the form submission? Or do I just have to perform a cleanup of the temp directory every so often?
Third question: Am I doing this completely wrong and there is in fact a much better approach to uploading multiple files?
1) If you are using SQL Server, I personally prefer to store uploaded files in a varbinary(max) field and work with them by their unique ID. Then you don't have to worry about name collisions or de-sync of your DB to your filesystem. This also allows your upload process to be independent of the insertion of the parent form.
The examples below show how to grab the file stream (and metadata) from a FileUpload control in a FormView and supply it as a parameter to a SQL stored procedure. Then, a class implementing IHTTPHandler is used to retrieve files from the DB.
2) As far as clearing out temp files, I would associate each uploaded file with a temp master record so they are tied together. When the real master is confirmed, delete the temp master (and reference files from the real master). Then run a SQL Agent job on a regular interval to delete temp masters and associated files that are older than X amount of time.
Saving:
Protected Sub DetailsView1_ItemInserting(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.DetailsViewInsertEventArgs) Handles DetailsView1.ItemInserting
Dim objUploader As FileUpload = DetailsView1.FindControl("fuFile")
If objUploader.HasFile Then
Dim strFileName As String = objUploader.PostedFile.FileName
strFileName = strFileName.Substring(strFileName.LastIndexOf("\") + 1)
Dim objFileStream As System.IO.Stream = objUploader.PostedFile.InputStream
Dim arrFileImageByteArray(objFileStream.Length) As Byte
objFileStream.Read(arrFileImageByteArray, 0, objFileStream.Length)
e.Values.Insert(0, "FileImage", arrFileImageByteArray)
e.Values.Insert(1, "FileName", strFileName)
e.Values.Insert(3, "PostingDate", Now)
e.Values.Insert(5, "Application", "CorpForms")
Else
e.Cancel = True
objMessages.Add(New StatusMessage(MessageType.Warning, "File Upload canceled. No file was selected."))
End If
End Sub
Retrieving:
Public Class FileServiceHandler : Implements IHttpHandler
Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest
Dim idFileID As Guid
If context.Request.QueryString("FileID") IsNot Nothing Then
Dim strFileID As String = context.Request.QueryString("FileID")
Try
idFileID = Guid.Parse(strFileID)
Catch ex As Exception
Throw New Exception("Unable to parse File ID")
End Try
End If
Dim objConnection As New SqlConnection(ConfigurationManager.ConnectionStrings("PublicWebConnectionString").ConnectionString)
Dim objCommand As SqlCommand = objConnection.CreateCommand
Dim objReader As SqlDataReader
objCommand.CommandType = Data.CommandType.StoredProcedure
objCommand.CommandText = "spGetUploadedFile"
objCommand.Parameters.AddWithValue("FileID", idFileID.ToString)
Dim arrFileImage() As Byte = Nothing
Dim strFileName As String = String.Empty
Try
objConnection.Open()
objReader = objCommand.ExecuteReader
While objReader.Read
If Not IsDBNull(objReader("FileImage")) Then
arrFileImage = objReader("FileImage")
End If
If Not IsDBNull(objReader("FileName")) Then
strFileName = objReader("FileName")
End If
End While
Catch ex As Exception
Throw New Exception("There was a problem retreiving the file: " & ex.Message)
End Try
If objConnection.State <> Data.ConnectionState.Closed Then
objConnection.Close()
End If
If arrFileImage IsNot Nothing Then
context.Response.Clear()
context.Response.AddHeader("content-disposition", "attachment;filename=" & strFileName)
context.Response.BinaryWrite(arrFileImage)
context.Response.End()
Else
context.Response.ContentType = "text/plain"
context.Response.Write("Unable to retrieve file ID# " & idFileID.ToString)
End If
End Sub
Public ReadOnly Property IsReusable() As Boolean Implements IHttpHandler.IsReusable
Get
Return True
End Get
End Property
End Class
Web.Config in file retrieval path:
<configuration>
<system.web>
<httpHandlers>
<add verb="GET" path="*" type="MyNamespace.FileServiceHandler" />
</httpHandlers>
</system.web>
<system.webServer>
<handlers>
<add name="MyNamespace.FileServiceHandler" path="*" verb="*" type="MyNamespace.FileServiceHandler" resourceType="Unspecified" preCondition="integratedMode" />
</handlers>
</system.webServer>
</configuration>
File upload is always annoying. I recently found a great component that does what I belive all upload componentes should do.
See at:
http://aquantum-demo.appspot.com/file-upload
And a sample in C# at:
https://github.com/BoSchatzberg/jfu-CSharp-Example
And, you should store your files in a temporary folder before creating the database row. To avoid a mess of files left useless, you can use a windows temporary folder to delagate to the windows when delete or not those files.
System.IO.Path.GetTempPath()
I would recommend storing the files in the database, rather than a temporary folder.
Don't store them in Session Db - too much information, but include the SessionId in the Files Database record.
So you'd have a Files database with a table along the lines of
Id (int identity field)
Data (varbinary(max))
MimeType (varchar(50))
SessionId (varchar(50))
UserId ??
Then you'd simply need to write a scheduled SQL task to clear images where the session had expired.