[RESOLVED] [2005] Securing SubDirectories when using Forms Authentication
How does one go about securing individual subdirectories that contain non-asp.net filetypes when using Forms Authentication?
I have a subdirectory that contains certain files that I only want logged-in users to see. Since they are non-asp.net files (zip, pdf, etc), an anonymous user can access a file as long as they know the direct link. All of the articles I have read (like this one (and countless others) go over using the aspnet.isapi.dll filter and specifying the file extension that you wish to protect. The problem is that this is application level, not directory-level. By using this method, if I add the .PDF extension, then ALL of the .PDF files on the site would then require a login, not just the PDF files in the "secure" location.
I guess what I am getting at is what is the best practice scenario at handling this when using Forms Authentication?
Re: [2005] Securing SubDirectories when using Forms Authentication
mapping aspnet.isapi.dll to handle certain extentions in IIS should only envoke forms auth if the file is in a secured directory, not outside it. I thought if you did that you had to write a httpHandler to tell .net what to do with a request for that file type also? that article does not mention this so I guess not?
Another option using just code is to add .aspx to the file like my.pdf.aspx which will cause the .net engine to handle the request and forms auth will kick in if the file path is browsed to.
To show it or start download to authenticated user add it to the response stream with the .aspx removed like
Code:
Dim strFileNamePath As String
strFileNamePath = Server.MapPath(FileName & ".aspx")
Dim myFile As FileInfo = New FileInfo(strFileNamePath)
Response.Clear()
' send the file header (causes download) minus the aspx extension.
Response.AddHeader("Content-Disposition", "attachment; filename=" & _
Microsoft.VisualBasic.Replace(myFile.Name, ".aspx", ""))
Response.AddHeader("Content-Length", myFile.Length.ToString())
Response.ContentType = "application/octet-stream"
' or Response.ContentType = "application/pdf" for a pdf file
Response.WriteFile(myFile.FullName)
Response.End()
Re: [2005] Securing SubDirectories when using Forms Authentication
Create an HttpModule to handle all requests to your file types. In the HttpModule, you can check to see if the user is authenticated (cookie? session?) and if he is, then allow the execution or request to continue.
Alternatively an HttpHandler to handle the file types.
Do a search on these, read up, you will see that you can protect files in a specific location by specifying that in the web.config
/securefolder/*.pdf ......
Re: [2005] Securing SubDirectories when using Forms Authentication
Quote:
Create an HttpModule to handle all requests to your file types. In the HttpModule, you can check to see if the user is authenticated (cookie? session?) and if he is, then allow the execution or request to continue.
But what if it's a she?? :confused:
Re: [2005] Securing SubDirectories when using Forms Authentication
Women use computers now? :confused: :afrog:
Re: [2005] Securing SubDirectories when using Forms Authentication
Quote:
Originally Posted by mendhak
Create an HttpModule to handle all requests to your file types. In the HttpModule, you can check to see if the user is authenticated (cookie? session?) and if he is, then allow the execution or request to continue.
Alternatively an HttpHandler to handle the file types.
Sounds like a plan... just have read up on it a little...
Re: [2005] Securing SubDirectories when using Forms Authentication
Ok, I have a test HttpModule created, but in order for my BeginRequest event to be fired, do I have to register this extension using aspnet.isapi.dll? Or is there another way using custom httpHandlers? Or something else?
In essence, lets say I have a root directory with one subfolder called "Secure". I create a httpModule that handles the .BeginRequest event. This method performs some code. I only want this custom module to fire on, lets say, .PDF files within the "Secure" directory. I don't want this to even fire or be handled in any way on a .PDF file in the main root directory, I want it to ignore it all together.
Right now, I have to register the .PDF extension in IIS in order for my .BeginRequest event to fire, so that makes my module handle every single .PDF file on the site. I am a little confused on how to possibly implement Location tags with paths in the configuration file in order to do what I am intending to do, or if it even possible. I do not want to map this through aspnet.isapi.dll if I don't have to.
Any suggestions?
Re: [2005] Securing SubDirectories when using Forms Authentication
You'll need to include the logic for which PDFs are authenticated and which aren't. I don't believe you can do this without mapping your file types as IIS doesn't natively understand what they are.
Re: [2005] Securing SubDirectories when using Forms Authentication
Thats what I thought. If I am strictly wanting to 'secure' non-asp.net file types, does it make more sense to use HttpHandlers or HttpModules? I was testing using a module, but the more I think about it, the more HttpHandlers might make more sense, since my handler would (supposedly) only fire for those extensions, and not for every single request in the application (since I was using a handler for .BeginRequest).
Re: [2005] Securing SubDirectories when using Forms Authentication
Depends... what is your authentication mechanism?
Re: [2005] Securing SubDirectories when using Forms Authentication
Its just Forms Authentication, based on Roles that are assigned to a user. If a user is in a particular role, then they would essentially have access to those filetypes in that directory. RIght now everything works for the forms in the 'secure' directory, just trying to work out the files now...
Re: [2005] Securing SubDirectories when using Forms Authentication
I'm not entirely sure, but you can try this out (and share the knowledge :D )
Use Context.User.Identity.IsAuthenticated in the HttpHandler to see if the user is authenticated or not and redirect them to the login page if they are not. Else, allow the process to continue (do nothing in the ProcessRequest method).
Before you do that, though, map the PDF to the ASP.NET ISAPI dll, set the <location> in the web.config (make the parent directory secure) and try browsing to the PDF as a normal user who doesn't have access to it. See if the ASP.NET ISAPI DLL automatically performs the forms authentication check for you on this mapped type.
Re: [2005] Securing SubDirectories when using Forms Authentication
Will try it out, probably won't be until next week though, as this is just a small part of stuff on my plate right now and its getting close to 5 here (I try to stay away from work on the weekends :) )
Re: [2005] Securing SubDirectories when using Forms Authentication
I was bored, so I did a test for you.
It's simple, simpler than I thought. :D
Using forms authentication, you can protect the subdirectory and all files handled by the ASP.NET ISAPI DLL. All you need to do is map .PDF to ASP.NET and not create an HttpHandler or HttpModule. Just
Code:
<location path="myfiles">
<system.web>
<authorization>
<allow roles="theadmins"/>
<allow roles="thenoobs"/>
<deny roles="themactards"/>
<deny users="*" />
</authorization>
</system.web>
</location>
So if I login as a mactard, then I am denied access, else I am allowed access - to the PDF files in the myfiles folder.
Re: [2005] Securing SubDirectories when using Forms Authentication
Well when I do that I run into the same problem. The .PDF files in the root (public) directory still asks for authentication (brings user/pass popup window), even when I allow "*" and "?" users in the web.config file in the root.
**EDIT - the user/pass was coming up because our devbox had anonymous access disabled (new box that we had set up last week... grrr), that's why the password box was coming up. It looks like this will do the trick, and I would rate you but it seems I don't 'pass it around' enough...
Re: [RESOLVED] [2005] Securing SubDirectories when using Forms Authentication
Yeah, we're a close-knit community :afrog: