Hi all,

Say I have a link in a page to a file. Currently this displays the complete path to the file, e.g.

http://server/appname/folder1/folder2/file.extn

What I did, in the page containing the link, I opened a Download page in new window passing the name of the file etc. That worked. Now user don't see the complete path to the file. And it forces the user to login to the application thus helping us maintaining a log of who downloaded which file.

But this doesn't stop the user from entering the complete path to the file in the browser and downloading the file directly avoiding the download page. So I tried creating an HTTPModule wherein I tried to get the extension of the file being requested and if it is one of them in the list, then redirect the user to Unauthorized Access error page.

The code works fine in development but doesn't work in the production. By doesn't work, I mean that user can enter the path to the file and download it and this module doesn't seem to trap the request. Also this caused the Download page to stop working normally.

This is the code I was using:
C# Code:
  1. public class BadRequest: IHttpModule
  2. {
  3.     public BadRequest()
  4.     {
  5.         //
  6.         // TODO: Add constructor logic here
  7.         //
  8.     }
  9.     public void Init(HttpApplication application)
  10.     {
  11.         application.BeginRequest += new EventHandler(application_BeginRequest);
  12.         application.EndRequest += new EventHandler(application_EndRequest);
  13.     }
  14.  
  15.     private void application_EndRequest(object sender, EventArgs e)
  16.     {
  17.        
  18.     }
  19.  
  20.     private void application_BeginRequest(object sender, EventArgs e)
  21.     {
  22.         //HttpContext.Current.Response.Write(HttpContext.Current.Request.FilePath);
  23.         //HttpContext.Current.Response.Write(VirtualPathUtility.GetExtension(HttpContext.Current.Request.Url.AbsolutePath));
  24.         foreach (string block in System.Web.Configuration.WebConfigurationManager.AppSettings["blockExtn"].Split(new char[] { ';' }))
  25.         {
  26.             if (string.Equals(VirtualPathUtility.GetExtension(HttpContext.Current.Request.Url.AbsolutePath), block, StringComparison.OrdinalIgnoreCase))
  27.             {
  28.                 HttpContext.Current.Response.StatusCode = 403;
  29.                 HttpContext.Current.ClearError();
  30.                 HttpContext.Current.Server.Transfer("~/ErrorPages/NoAccess.aspx");
  31.             }
  32.         }
  33.     }
  34.  
  35.     public void Dispose() { }
  36. }
In the Web.Config
Code:
<httpModules>
			<add name="BadRequest" type="BadRequest" />
		</httpModules>
Any ideas that I could try? Or am I missing something here?

Thanks