I have an asp.net application. There is a folder in the project that users upload images and files to that folder.
I want to restrict users, that each user sees only his files. How can I do this?
Because files are uploaded in folder, users may access them by browsing file urls.
One way is you could store the files inside the username of a folder, and your parameter which allows you specify a path always assumes you are talking about after the username...much like how shared web hosting must work.
Regardless, you should secure each folder for each user if there was some flaw in your code or whatever...
e.g. the physical file structure with each users files
C:\TheProject\Uploads\UserA\Images
C:\TheProject\Uploads\UserB\Images
C:\TheProject\Uploads\UserC\Images
your web app's url where you show the files for the currently logged on user. If UserA is logged on, show the files inside the appropriate folder etc
Happy paths:
http://example.com/browsefiles/?path=images
http://example.com/browsefiles/?path=docs
Unhappy paths:
http://example.com/browsefiles/?path=../UserA/images
http://example.com/browsefiles/?path=../../web.config
So obviously put some very tight checking around what input you accept...perhaps even a whitelist instead...if the query by the user doesn't match the whitelist, block it. In this scenario, you'd probably want to err on the side of blocking a legitimate request than allowing a malicious one.
Edit
If users can access the files without going through your web application (can we assume Intranet app here???) perhaps through a file share/network share/ftp then you could try a couple of options
Each user in your app is a user on the server (local user) so they would have a username and password on the server (which your app would need to authenticate against) but would allow you to set permissions on each folder/file on the server to a local user, OR
This might be easier if you have Active Directory setup and can use Windows Authentication and that way you could both impersonate your web app and secure the files/folders using the user's active directory account.
You might need to consult http://serverfault.com if you need help with Active Directory or Accounts on Windows servers
You have to create web.config in image folder and use FormsAuhentication
in web.config :
<authorization>
<deny users="?"/> // anonymous user
</authorization>
Related
I have an asp.net application which does the following: loads data about audio files (file name, path and so on) from DB and shows them in table on the page. Application uses windows authentication (this cannot be changed).
I've added html 5 audio controls to my table cells so that users could play audio files without downloading them - actually, I don't want them to be able to download files at all.
Audio files come from two network-shared directories - one is accessible by all domain users, the second one is accessible only to specific user. Audio control requires the src to be a relative url - ok, fine, so I went to IIS manager and created two virtual directories under my application. For the second, highly protected directory, I'd set credentials which should have helped my application to access files.
Result seems quite strange to me: users see audio files from the first (accessible) directory preloaded and can play them; users cannot preload and cannot play files from the second directory with preset credentials.
Problem is definitely not in the audio src itself - it is well-formed. Seems like IIS is trying to access data in the second virtual directory under credentials of current domain user and not the one, whose login and password were set on folder setup.
Is there any way to overcome this problem? Unfortunately, granting access to this directory to all users is not a chance. Changing app pool identity to that same specific user also gave no results. App users and user account for the second folder are all in the same domain.
IIS access file via application pool identity not login user. So when you are running an application with network share directory, please change the app pool identity to a domain user that have permission to access both. Then you can restrict login user permission via authorization rule.
Consider this scenario: I have a REST API built with Web API 2.x and authentication is managed by ASP.NET Identity. Users can upload attachments as part of their records, which are all stored on disk in the root folder, under a directory named Attachments.
Now at some point users can generate PDFs from their records. The PDF includes links to attachment files, and when you click them the static file is happily served. For example: attachments/2018/01/somefile.jpeg.
What I need to do, is serve these media files ONLY to authorized users. And basic authentication isn't enough, I can't just say serve media files for all logged-in users. I need to query the database, check user assignments and/or other security measures and decide if the file should be served or not.
I've been looking for a viable solution. How can I handle such routing through Web API and serve static content only to authorized users? It's worth mentioning that I don't use ASP.NET MVC in my project. It is just Web API 2.x with an Angular 1.6 app written in TypeScript.
Following approach should work for you.
Step 1-
Deny the direct access permission on your attachment folder in your web.config to all users like following.
<location path="attachments">
<system.web>
<authorization>
</authorization>
</system.web>
</location>
Step 2: Create a common file download API, this should be your single point for downloading any file from server.
All your secured link should look like /Download/somefilename
You implement your data level security in your Download API, by checking the request file against the logged in user.
I want to create a directory on a network path from a WCF web service. This web service is hosted under a site that uses Windows authentication. However, when I try to create the folder with "Directory.Create", I get an access denied. When I check "HttpContext.Current.User.Identity.Name", I can see my own user account, but I guess it is not the one used to create the folder, as, when I do "System.Environment.UserName", I see another value.
I tried to put "<identity impersonate="true" />" in the main web.config of the web site but then, nothing works anymore.
So my question is, is it possible to create the directory using the permissions of the currently logged user ?
As a precision, I'm calling the webservice through AngularJS and I configured my "$httpProvider" to pass the credentials ("$hp.defaults.withCredentials = true;").
EDIT:
I added "<identity impersonate="true" />" to the web.config placed in the folder that contains my web service and now, "System.Environment.UserName" contains the correct credential but still, I guess the access denied. I tried the same command from a console application and it works. I really don't get it...
EDIT 2
If I changed the "identity" element to "<identity impersonate="true" username="USERNAME" password="PASSWORD" />", then it works, but I don't want to fill these fields...
Thanks
I'm assuming the network folder is on another server, you're either going to have to impersonate credentials that has access to it or whoever the apppool is running as will need permissions to write to that folder.
We typically have the app-pool running as a domain account in IIS. You can tailor the permissions as you see fit then (assuming both servers are on the same domain and, you don't have to store passwords this way, whoever manages your IIS would handle that). If the site just needs to write (but not read) you could give it write permissions but not read.
We have some requirements where we want to allow our clients/ users to download files/ folders from our file server via browser/ web.
We have a many different directories created on our file server which is mapped to different clients. Which means that, every client has its own directory on our server. We have a main (root) directory for every single client/user. Which means that, every client’s files/folder are created under their respective main directory.
The only thing we need be sure is, whenever our client make a request to access/ download file, first we need to validate their credential (username/password are stored in our SQL server DB) and then we need to allow only those folder which is mapped for specific folder. (The folder mapping is again stored in our SQL server DB)
Which means that, after applying the credential by user/clients, they can only access their directory/ files. They cannot access other’s files/ directory.
Would anybody please do let me know how would I achieve this? All the suggestions would be appreciated highly.
Thanks in advance.
Since different users need to be authorized to access different directories, you cannot expose your files directly on the web.
Build a simple login with a custome MembershipProivder. That will allow you to autenticate against your database.
Since you know which directories the user has access to, you can fetch a listing of files and folders and present it in a ListView to the user.
You can write a HttpHandler to check user authorization and then serve the files to them.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.