Securing files for logged in members only

[mark007]

I want to have a folder containing files - pdf's for argument's sake - that are only accessible to logged in users. So if someone typed:

www.someurl.com/pdfs/mypdf.pdf

They would get an access denied message. I could do this on Apache just using a .htaccess file in the folder. What's the IIS equivalent?

Secondly I then need to display the file for logged in users using something like:

www.someurl.com/showpdf.aspx?mypdf.pdf

Again using PHP on Apache although the folder is secure to external users local files can access the folder and I simply use Readfile('filename'); to output the file to the browser (as well as some headers to tell the browser the content-type). How would I do this is ASP.Net. I'm thinking along the lines of reading the file into a stream and then outputting it to the Response.OutputStream somehow.

Thanks.

 

[Bikuri]

use a web.config (you'll see instructions for how to do it inside of a new web.config file)

 

[mark007]

You've not really fully answered my question.

Also I assume you mean use a web.config file:

<authorization>
<deny users="*" />
</authorization>

Although this will deny people accessing my aspx pages I'm not convinced this will stop them viewing pdf files that have nothing to do with asp.net.

Thank so far though.

 

[Bikuri]

You've not really fully answered my question.

Also I assume you mean use a web.config file:

<authorization>
<deny users="*" />
</authorization>

Although this will deny people accessing my aspx pages I'm not convinced this will stop them viewing pdf files that have nothing to do with asp.net.

Thank so far though.

It does. Anything that is in the folder that you have that web.config in will be protected.

I usually employ role based security, and like to use a separated web.config per folder I protect. The auth block looks like this:

      <authorization>
			<allow roles="Administrators,SubscribedUsers" />
			<deny users="*" />
    </authorization>

checkout this link for more.

So you could do something like:

      <authorization>
			<deny users="?" />
    </authorization>

Which would deny all anonymous users.

Good luck!

 

[mark007]

OK, that sounds good. So am I on the right lines for actually showing the file with having a page that opens a stream to the file and then saves it to the Response.Outputstream?

Can't say I've thought it through fully but I'm certainly hazy on this..

 

[mark007]

Ok, just tried it and doesn't seem to work. As suspected pdf files aren't processed by ASP.Net so it doesn't block them. If I add pdf to be processed by asp.net then it does block them - this isn't realistic though as I want to secure a directory, not file type.

 

[Bikuri]

Ah yes, if you're linking directly to the pdf's. A workaround is to have an .aspx page in the protected folder that contains the links to the pdf's.

 

[mark007]

Well it's not a workaround as the pdf's are still in the folder so if the address was known they could be viewed. They have to be completely secure. I guess I could get all files handled by asp.nt. Though this would slow things down I guess it would work...

 

[PlausiblyDamp]

http://aspnet.4guysfromrolla.com/articles/020404-1.aspx may be worth a glance. Map .pdf to be handled by IIS for your web application and then edit the web.config to mark them as forbidden files.