protecting files with asp.net (mvc) - asp.net

I want to protect the files in a specific directory so that people cannot link to them - but I still need my program to be capable of rendering them, so password protecting the actual folder won't work. Is there any way to facilitate this in ASP.NET MVC? Obviously it's more about ASP.NET, not MVC - but I can't make use of things like Session State and Postback and such...

You could put that directory outside of the web app's root directory (so that it can't be accessed using some copied URL) or into a directory where you deny any read access using a web.config file.
Then access the files through an action which requires the current user to be authorized, e.g:
public class FileController : Controller
{
[Authorize]
public ActionResult Get(string file)
{
return new File(Path.Combine(_rootPath, file);
}
}
Then you can access the files through an action URL, e.g. http://server/app/File/Get/test.txt.

Related

Host Asp.Net MVC in IIS hides Views-Folders and .cshtml

When I host my Asp.Net MVC inside my default IIS, it does neither show .cshtml files, nor the Views folder at all. Even when directory browsing, these folders are missing. If I create some file in the Views folder I cannot access it either. If I create some file in another folder I can access it.
This is my routing configuration
I think this should be a rather basic setup question. Do I have to manually add MVC support?
My IIS is running in my docker container on the basis of windowsservercore. Setup as follows:
FROM microsoft/windowsservercore
SHELL ["powershell"]
RUN Install-WindowsFeature NET-Framework-45-ASPNET ; \
Install-WindowsFeature Web-Asp-Net45
Routing doesn't go to views it goes to controllers. It is the controllers that process and then render the views. Additionally, there is no physical correlation between the URL that you provide and the view location - that is entirely based on how the routes are setup.
It is normal and expected behavior for IIS to block direct access to the Views folder, since these are never used by the browser directly.
The Views are convention-based by default. The convention they use is Views\<ControllerName>\<ActionName>.cshtml. When a view is in the correct corresponding location, the action method can simply return View(); and the view will be rendered.
The view Views\tst.cshtml will only be rendered if you have passed the virtual location of the view to the View method (for example, return View("~/Views/tst.cshtml");. This is because it does not match any of the "normal" MVC conventions.
Since you have not provided any examples of what your controller or action names are (or even if you have any), I will provide a basic example from the MVC template project.
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult About()
{
ViewBag.Message = "Your application description page.";
return View();
}
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
}
With the above controller and the Default route, if you pass the URL /Home/About (Home matching HomeController, and About matching the About method), the About method will run, and the view at \Views\Home\About.cshtml will be rendered.
Reference: Understanding Models, Views, and Controllers (C#)

Adding asp.net.mvc to ASP.NET: Controllers folder

I have an ASP.NET application, and I am trying to turn this into a hybrid ASP.NET / ASP.NET.MVC 4.0 application.
I tried to create a folder named "Controllers", and place a .cs file in there:
public class PlayerGroupController : Controller
{
public PlayerGroupController()
{
}
public string Index()
{
return "Hello World!";
}
public ActionResult LayoutTemplates()
{
return View();
}
}
Any attempt to access "PlayerGroup/LayoutTemplates" doesn't work (just get a "Not Found" error)
I then moved this file into App_Code, and it works fine. I'm glad I got something working, but I would rather follow the convention of controller classes being in the folder named Controllers.
Is there some magic setting I can set somewhere so that it starts recognizing Controllers as a code folder?
If the project is configured as a Web Site Project then all code files (*.cs) must be in ~/App_Code or in subfolders thereof. If the project is a Web Application Project, code files can go anywhere in the project and be compiled by VS into a DLL that ends up in the ~/bin directory, which then gets loaded by ASP.NET.
MVC is geared specifically towards the Web Application Project (WAP), so I recommend creating a new WAP and copying all the files into that, and then going from there.

How do I redirect to the cshtml page created inside shared folder in ASP.NET MVC3

Please help me out how do I redirect to a .cshtml page which is created inside a shared folder.
I want something like this
href="#Url.Content("Shared/UnderConstruction")"
Here it's not getting redirecting to the UnderConstruction page, which I created.
You cannot redirect to anything that's stored inside the ~/Views folder including the ~/Views/Shared. This folder is simply not served by ASP.NET MVC and cannot be accessed directly. Also notice that in ASP.NET MVC you are not serving .cshtml pages directly. You are always passing through controller action that return views and those views might represent .cshtml pages.
Now if you have some Shared folder directly under the site root ~/Shared, then you can do this:
construction
In ASP.NET MVC3 you can't render views directly by calling the files directly. They can only be served via controllers.
In order to call the view in your shared folder you woul have to do something similar to the following:
public class HomeController : Controller
{
public ActionResult About()
{
return View("Construction");
}
}
If you want to display a page at url "shared/underconstruction" as per the other posts:
Create controller SharedController.
Define action "UnderConstruction"
Create "UnderConstruction.cshtml" in Views/Shared/ folder.
Map URL "Shared/{action}" , new { Controller = "Shared" } if you want to be explicit.
Give that a shot... to be honest even I don't know if this will work, and you will pollute your "Shared" folder. You could rename existing Shared folder to something else, maybe, and modify ViewStart.cshtml to point to new folder, maybe.
In ASP.NET MVC you can only redirect to controllers, and the controllers return a view. You can access views in Shared the same way as your normal controller views, by their name. ASP.NET MVC first looks in your controller view folder then in your shared view folder when resolving view names.

Is it safe to map a virtual directory to a subfolder within App_Data for serving images?

I am running an mvc3 app under IIS7.
the general public can upload images via a file upload control, which resizes the images then writes them to a subfolder of the App_Data folder.
When it comes to displaying the uploaded images on pages, I cannot serve these straight from the App_Data subfolder because this is restricted by IIS7 as a protected folder for security reasons.
If i map a virtual directory to the App_Data subfolder i can serve the images stored in there, but this raises the question - does this pose a security risk?
From what i understand, as long as the correct permissions are set on the virtual directory, then it should be ok.
Is this correct? or are there other things i am overlooking?
From what i understand, as long as the correct permissions are set on the virtual directory, then it should be ok.
That's correct. If you ensure that only authorized users can access this virtual directory your files are pretty safe.
But to avoid all the hassle of creating another virtual directory you could create a controller action which will directly serve files from this folder:
// You could specify Roles instead of Users if you wish
[Authorize(Users = "john, jane")]
public ActionResult AppDataFile(string filename)
{
var file = Path.Combine(Server.MapPath("~/app_data"), filename);
if (!System.IO.File.Exists(file))
{
return HttpNotFound();
}
return File(file, "application/octet-stream", Path.GetFileName(file));
}
and then when you authenticate as jane you could /appdatafile?filename=foo.bar to download the foo.bar file from the App_Data folder.

asp.net: prevent files from bots

Application uses Forms authentication and has folders with excel files. Need to prevent
unauthorized, automated scripts or bots from accessing these folders. What would be best option to prevent this?
Have the authorization node of the lockElementsattribute value set in the
Web.config file.
Have a element added to the element in the Web.config
file.
3 Use (CAPTCHA) image control on each page of the application.
4 Use Robots.txt file implemented in the root directory of the application.
Have the Excel files mapped to the ASP.NET ISAPI filter.
Or are there better options? Httmodules?
You could protect the excel files by writing a custom httpmodule and validating that they are authed via the forms auth before giving them access to the file.
In addition I would use the robots.txt file as well to exclude them. Those that follow the rules will stop looking at that point. The rest will be taken care of with the custom httpmodule.
The most secure solution would be to store your files outside of the web-tree and then serve them up via a HttpHandler. The simplest handler to create in ASP.NET would be an .ashx Handler as outlined in this blog post.
Download File
Your handler would then check the user request to ensure the user is authenticated and then stream the file back. In simplified pseudo-C# code this would be something like:
public void ProcessRequest(HttpContext context)
{
string file = context.Request["file"];
if (user.IsAuthenticated())
{
OutputFile(file, context)
}
}
private void OutputFile(string file, HttpContext context)
{
string fileContent = LoadFileFromSecureDirectory(file);
Response.Output(fileContent);
}
Map the Excel files to the ASP.NET ISAPI filter and add a
<deny> element to the <authorization> element in web.config,

Resources