I have a system that allows the users to download some files, the user needs to login first and then he is autorized or not to download. The download page is Download.aspx?FileId=42 and the code within this page opens the file and keeps sending small chunks to the user. We made this because we needed to guarantee that only authorized users could download.
We recently moved this system to IIS7 and it is working properly, but I don't like the idea of having a custom c# code sending the chunks to the client, so I would like to know if there is a way of when a request to file.zip is made, a custom code is executed to authorize or not, and if it is authorized, I just tell IIS7 to proceed the download instead of running the code inside Download.aspx.
Is this possible?
Thanks!
Do a redirect to the zip file. Hide the zip file in a obscure location with non-regular naming. "Security through obscurity."
IIS7 has authorization that uses Forms or Windows authentication for all file types - if it's running in integrated pipeline mode. The syntax is just like that for ASP.NET applications, but it's in a different place in web.config, <system.web>. The rules can also be added using the IIS7 admin interface. There are a couple of differences, IIS7 URL authorization evaluates rules from the parent down and deny rules take precedence.
Related
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
My question is, Can I Check session before allowing user to view a file, e.g:
http://www.somedomain/pdf/dummy.pdf
When user clicks on this url I want to check whether the session is valid or not, If session is valid allow user to view/download the file otherwise take the user to Login page.
Thanks.
You can write HttpHandler and set it to process *.pdf files. IHttpHandler.ProcessRequest method has access to HttpContext so you can access session information and do pretty much all you want...
How to setup handler for PDF files depends on IIS version but here's an example of doing it via Web.config file for IIS 7 in integrated mode. For versions prior to 7, Web.config file change is not enough, you also have to use IIS Manager to map extension to Aspnet_isapi.dll. Look here and here for details.
Your question is a bit vogue. Maybe you don't want to access HttpSessionState, instead you just want to use standard ASP.NET URL authentication on static files (such as PDF)? If so, search for "ASP.NET authorization for static files", this is quite popular topic.
This is what I wanted to do. Thank to: #skhurams
http://www.mikesdotnetting.com/Article/122/Simple-File-Download-Protection-with-ASP.NET
I am working on an old Classic ASP website and there is a directory that contents a handful of PDF documents. Is there a way to stop a user from accessing said pdf documents via a direct link (www.example.com/example.pdf) until they login? If so, how would I go about it?
Does ASP have the build in Membership provider which controls access with a couple lines in a web.config in that directory
http://msdn.microsoft.com/en-us/library/yh26yfzy%28v=vs.80%29.aspx
The following article from Microsft explains how to protect access to certain pages using classic ASP.
How To Use Simple ASP Code to Password Protect Your ASP Pages
Here are a couple of additional links, that are both for ASP.NET, but perhaps you can use the same ideas in classic ASP.
Thread: How do I password protect a sub folder of my website, to deny anonymous access?
Here's a similar article: Protecting Folders with Forms Authentication
I presume your web site already have a login infrastructure.
If not you should add it as first thing | http://www.evolt.org/node/28652.
Then create page and put it in the place of the resource you want to protect. E.g. replace http://youwebsite.com/dir1/dir2/file.pdf with http://yourwebsite.com/dir1/dir2/getfilepdf.asp.
In your new script check if the user have done log on, if not send it back to log on page.
If the user is correctly authenticated, read the file and return it to browser with Response.BinaryWrite.
The web is full of samples. Read this | http://support.microsoft.com/kb/307603.
Password protection on the page listing your documents will not prevent direct access to the documents. For example if your documents are listed by folder view or are linked from any web page then every search engine and spider on the planet already knows the document's location in your site. So here's what you can do...
Start by moving the document folder to below root level, then use FileSystemObject to deliver the document. For documents over 2-4 Mb you should deliver them in "chunks".
Now you can add a condition to your download script to verify the user's log-in status or redirect to log-in. Your comment link will now look something like:
http://somesite.com/load-pdf.asp?id=mydocuent.pdf
If you were providing a list of documents by folder view you can still do that using FileSystemObject.
From Flex we call a Upload.aspx page which is configured for anonymous authentication. Most of the time, it works like a charm, but once in a while, the browser does prompt a enter credentials popup...
The whole site is configured for Windows Authentication, but some pages and folders are set to use anonymous authentication. This is done using the location tag in web.config.
What could be the reason for this?
UPDATE:
Only happening in Internet Explorer... they should deport it.
If you use FireFox with FireBug, open up the Net panel, it will show you the request making the permissions request. If you cancel it, it will show an access denied in red, and that will easily help you hunt the issue down.
Maybe it's because a file (image, css, etc.) is being referenced that doesn't exist?
A couple of things I would check out:
Are there any images/other files that are added to your page using the FQDN? If so, are any of these pointing to an external site or staging site that might require credentials?
Is it possible that someone has removed permissions from the application pool credentials on the web server for some specific file or files the site is requesting?
Is the site load balanced or part of a farm? It could be that one or many servers are configured incorrectly, and the rest are ok. Then if by chance you hit the bad servers, you could get the prompt.
I'm creating a website which besides other tasks will play some recorded files. these recorded files are on a remote server with private ip address, so I've created a virtual directory which points to a share directory on the mentioned server.
now I'm able to playback the files using client side controls like wmplayer. BUT the problem is sound file urls are accessible without any authentication and authorization.
is there anyway to enforce .net authorization and authentication (in web.config) on this virtual directory? I also should mention I can not use solutions like httphandlers to download the files because file are streamed using iis so user could navigate on the file without downloading all of it)
thanx
Open IIS (I suppose you use IIS7.0 or later). Find the mentioned virtual directory and click on it. In the listed features find Authentication, right click on it and press Open Feature. Then disable anonymous authentication for this folder. Does the problem persist?