Results 1 to 16 of 16

Thread: [RESOLVED] [2005] Securing SubDirectories when using Forms Authentication

  1. #1

    Thread Starter
    PowerPoster
    Join Date
    Aug 2005
    Location
    College Station, TX
    Posts
    4,521

    Resolved [RESOLVED] [2005] Securing SubDirectories when using Forms Authentication

    How does one go about securing individual subdirectories that contain non-asp.net filetypes when using Forms Authentication?

    I have a subdirectory that contains certain files that I only want logged-in users to see. Since they are non-asp.net files (zip, pdf, etc), an anonymous user can access a file as long as they know the direct link. All of the articles I have read (like this one (and countless others) go over using the aspnet.isapi.dll filter and specifying the file extension that you wish to protect. The problem is that this is application level, not directory-level. By using this method, if I add the .PDF extension, then ALL of the .PDF files on the site would then require a login, not just the PDF files in the "secure" location.

    I guess what I am getting at is what is the best practice scenario at handling this when using Forms Authentication?

  2. #2
    Frenzied Member brin351's Avatar
    Join Date
    Mar 2007
    Location
    Land Down Under
    Posts
    1,293

    Re: [2005] Securing SubDirectories when using Forms Authentication

    mapping aspnet.isapi.dll to handle certain extentions in IIS should only envoke forms auth if the file is in a secured directory, not outside it. I thought if you did that you had to write a httpHandler to tell .net what to do with a request for that file type also? that article does not mention this so I guess not?

    Another option using just code is to add .aspx to the file like my.pdf.aspx which will cause the .net engine to handle the request and forms auth will kick in if the file path is browsed to.

    To show it or start download to authenticated user add it to the response stream with the .aspx removed like

    Code:
    Dim strFileNamePath As String
    strFileNamePath = Server.MapPath(FileName & ".aspx")
    Dim myFile As FileInfo = New FileInfo(strFileNamePath)
    Response.Clear()
    
    ' send the file header (causes download) minus the aspx extension.
    Response.AddHeader("Content-Disposition", "attachment; filename=" & _
    Microsoft.VisualBasic.Replace(myFile.Name, ".aspx", ""))
    Response.AddHeader("Content-Length", myFile.Length.ToString())
    Response.ContentType = "application/octet-stream"
    
    ' or Response.ContentType = "application/pdf"    for a pdf file
    
    Response.WriteFile(myFile.FullName)
    Response.End()

  3. #3
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Create an HttpModule to handle all requests to your file types. In the HttpModule, you can check to see if the user is authenticated (cookie? session?) and if he is, then allow the execution or request to continue.

    Alternatively an HttpHandler to handle the file types.

    Do a search on these, read up, you will see that you can protect files in a specific location by specifying that in the web.config

    /securefolder/*.pdf ......

  4. #4
    Evil Genius alex_read's Avatar
    Join Date
    May 2000
    Location
    Espoo, Finland
    Posts
    5,538

    Wink Re: [2005] Securing SubDirectories when using Forms Authentication

    Create an HttpModule to handle all requests to your file types. In the HttpModule, you can check to see if the user is authenticated (cookie? session?) and if he is, then allow the execution or request to continue.
    But what if it's a she??

    Please rate this post if it was useful for you!
    Please try to search before creating a new post,
    Please format code using [ code ][ /code ], and
    Post sample code, error details & problem details

  5. #5
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Women use computers now?

  6. #6

    Thread Starter
    PowerPoster
    Join Date
    Aug 2005
    Location
    College Station, TX
    Posts
    4,521

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Quote Originally Posted by mendhak
    Create an HttpModule to handle all requests to your file types. In the HttpModule, you can check to see if the user is authenticated (cookie? session?) and if he is, then allow the execution or request to continue.

    Alternatively an HttpHandler to handle the file types.
    Sounds like a plan... just have read up on it a little...

  7. #7

    Thread Starter
    PowerPoster
    Join Date
    Aug 2005
    Location
    College Station, TX
    Posts
    4,521

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Ok, I have a test HttpModule created, but in order for my BeginRequest event to be fired, do I have to register this extension using aspnet.isapi.dll? Or is there another way using custom httpHandlers? Or something else?

    In essence, lets say I have a root directory with one subfolder called "Secure". I create a httpModule that handles the .BeginRequest event. This method performs some code. I only want this custom module to fire on, lets say, .PDF files within the "Secure" directory. I don't want this to even fire or be handled in any way on a .PDF file in the main root directory, I want it to ignore it all together.

    Right now, I have to register the .PDF extension in IIS in order for my .BeginRequest event to fire, so that makes my module handle every single .PDF file on the site. I am a little confused on how to possibly implement Location tags with paths in the configuration file in order to do what I am intending to do, or if it even possible. I do not want to map this through aspnet.isapi.dll if I don't have to.

    Any suggestions?
    Last edited by gigemboy; Jul 11th, 2008 at 11:58 AM.

  8. #8
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [2005] Securing SubDirectories when using Forms Authentication

    You'll need to include the logic for which PDFs are authenticated and which aren't. I don't believe you can do this without mapping your file types as IIS doesn't natively understand what they are.

  9. #9

    Thread Starter
    PowerPoster
    Join Date
    Aug 2005
    Location
    College Station, TX
    Posts
    4,521

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Thats what I thought. If I am strictly wanting to 'secure' non-asp.net file types, does it make more sense to use HttpHandlers or HttpModules? I was testing using a module, but the more I think about it, the more HttpHandlers might make more sense, since my handler would (supposedly) only fire for those extensions, and not for every single request in the application (since I was using a handler for .BeginRequest).

  10. #10
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Depends... what is your authentication mechanism?

  11. #11

    Thread Starter
    PowerPoster
    Join Date
    Aug 2005
    Location
    College Station, TX
    Posts
    4,521

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Its just Forms Authentication, based on Roles that are assigned to a user. If a user is in a particular role, then they would essentially have access to those filetypes in that directory. RIght now everything works for the forms in the 'secure' directory, just trying to work out the files now...

  12. #12
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [2005] Securing SubDirectories when using Forms Authentication

    I'm not entirely sure, but you can try this out (and share the knowledge )

    Use Context.User.Identity.IsAuthenticated in the HttpHandler to see if the user is authenticated or not and redirect them to the login page if they are not. Else, allow the process to continue (do nothing in the ProcessRequest method).

    Before you do that, though, map the PDF to the ASP.NET ISAPI dll, set the <location> in the web.config (make the parent directory secure) and try browsing to the PDF as a normal user who doesn't have access to it. See if the ASP.NET ISAPI DLL automatically performs the forms authentication check for you on this mapped type.

  13. #13

    Thread Starter
    PowerPoster
    Join Date
    Aug 2005
    Location
    College Station, TX
    Posts
    4,521

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Will try it out, probably won't be until next week though, as this is just a small part of stuff on my plate right now and its getting close to 5 here (I try to stay away from work on the weekends )

  14. #14
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [2005] Securing SubDirectories when using Forms Authentication

    I was bored, so I did a test for you.

    It's simple, simpler than I thought.

    Using forms authentication, you can protect the subdirectory and all files handled by the ASP.NET ISAPI DLL. All you need to do is map .PDF to ASP.NET and not create an HttpHandler or HttpModule. Just

    Code:
    <location path="myfiles">
            <system.web>
                <authorization>
                    <allow roles="theadmins"/>
                    <allow roles="thenoobs"/>
                    <deny roles="themactards"/>
                    <deny users="*" />
    
                </authorization>
            </system.web>
        </location>
    So if I login as a mactard, then I am denied access, else I am allowed access - to the PDF files in the myfiles folder.

  15. #15

    Thread Starter
    PowerPoster
    Join Date
    Aug 2005
    Location
    College Station, TX
    Posts
    4,521

    Re: [2005] Securing SubDirectories when using Forms Authentication

    Well when I do that I run into the same problem. The .PDF files in the root (public) directory still asks for authentication (brings user/pass popup window), even when I allow "*" and "?" users in the web.config file in the root.

    **EDIT - the user/pass was coming up because our devbox had anonymous access disabled (new box that we had set up last week... grrr), that's why the password box was coming up. It looks like this will do the trick, and I would rate you but it seems I don't 'pass it around' enough...
    Last edited by gigemboy; Jul 15th, 2008 at 10:29 AM.

  16. #16
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [RESOLVED] [2005] Securing SubDirectories when using Forms Authentication

    Yeah, we're a close-knit community

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width