mark007 Posted May 10, 2005 Posted May 10, 2005 I want to have a folder containing files - pdf's for argument's sake - that are only accessible to logged in users. So if someone typed: http://www.someurl.com/pdfs/mypdf.pdf They would get an access denied message. I could do this on Apache just using a .htaccess file in the folder. What's the IIS equivalent? Secondly I then need to display the file for logged in users using something like: http://www.someurl.com/showpdf.aspx?mypdf.pdf Again using PHP on Apache although the folder is secure to external users local files can access the folder and I simply use Readfile('filename'); to output the file to the browser (as well as some headers to tell the browser the content-type). How would I do this is ASP.Net. I'm thinking along the lines of reading the file into a stream and then outputting it to the Response.OutputStream somehow. Thanks. Quote Please check the Knowledge Base before you post. "Computers are useless. They can only give you answers." - Pablo Picasso The Code Net
Bikuri Posted May 12, 2005 Posted May 12, 2005 use a web.config (you'll see instructions for how to do it inside of a new web.config file) Quote
mark007 Posted May 12, 2005 Author Posted May 12, 2005 You've not really fully answered my question. Also I assume you mean use a web.config file: <authorization> <deny users="*" /> </authorization> Although this will deny people accessing my aspx pages I'm not convinced this will stop them viewing pdf files that have nothing to do with asp.net. Thank so far though. :) Quote Please check the Knowledge Base before you post. "Computers are useless. They can only give you answers." - Pablo Picasso The Code Net
Bikuri Posted May 12, 2005 Posted May 12, 2005 You've not really fully answered my question. Also I assume you mean use a web.config file: <authorization> <deny users="*" /> </authorization> Although this will deny people accessing my aspx pages I'm not convinced this will stop them viewing pdf files that have nothing to do with asp.net. Thank so far though. :) It does. Anything that is in the folder that you have that web.config in will be protected. I usually employ role based security, and like to use a separated web.config per folder I protect. The auth block looks like this: <authorization> <allow roles="Administrators,SubscribedUsers" /> <deny users="*" /> </authorization> checkout this link for more. So you could do something like: <authorization> <deny users="?" /> </authorization> Which would deny all anonymous users. Good luck! Quote
mark007 Posted May 12, 2005 Author Posted May 12, 2005 OK, that sounds good. So am I on the right lines for actually showing the file with having a page that opens a stream to the file and then saves it to the Response.Outputstream? Can't say I've thought it through fully but I'm certainly hazy on this.. Quote Please check the Knowledge Base before you post. "Computers are useless. They can only give you answers." - Pablo Picasso The Code Net
mark007 Posted May 12, 2005 Author Posted May 12, 2005 Ok, just tried it and doesn't seem to work. As suspected pdf files aren't processed by ASP.Net so it doesn't block them. If I add pdf to be processed by asp.net then it does block them - this isn't realistic though as I want to secure a directory, not file type. :) Quote Please check the Knowledge Base before you post. "Computers are useless. They can only give you answers." - Pablo Picasso The Code Net
Bikuri Posted May 13, 2005 Posted May 13, 2005 Ah yes, if you're linking directly to the pdf's. A workaround is to have an .aspx page in the protected folder that contains the links to the pdf's. Quote
mark007 Posted May 13, 2005 Author Posted May 13, 2005 Well it's not a workaround as the pdf's are still in the folder so if the address was known they could be viewed. They have to be completely secure. I guess I could get all files handled by asp.nt. Though this would slow things down I guess it would work... Quote Please check the Knowledge Base before you post. "Computers are useless. They can only give you answers." - Pablo Picasso The Code Net
Administrators PlausiblyDamp Posted May 13, 2005 Administrators Posted May 13, 2005 http://aspnet.4guysfromrolla.com/articles/020404-1.aspx may be worth a glance. Map .pdf to be handled by IIS for your web application and then edit the web.config to mark them as forbidden files. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.