Control Access To File Types In asp.net

J

Joey

I have a web app that uses forms authentication. The app also has a
downloads section, and I need to be able to use <location> tags to
control access to the downloadable files there (preferably by directory
instead of individual file.)

I understand that this behavior does not occur by default because IIS
does only maps certain file types (i.e. "*.aspx") to asp.net by
default. In other words, any user can download files that are within
the application's protected <location> tags simply by typing the
filename's url directly into the browser window. The request never
makes it to asp.net application, because IIS does not have those file
types mapped to asp.net.

After reading a couple of posts about this problem, I thought I could
fix it by creating IIS mappings for asp.net for the different file
types. And so I did this...I created IIS mappings for asp.net for
"*.exe", "*.pdf", "*.zip" and a few others.

It all seemed to work well at first, but...users began having problems
when downloading certain files. For example, the Acrobat Reader plugin
for IE and Firefox went haywire and quit working...it would just open a
blank white window! Similar problems were experienced when trying to
download zip files.

And so, I finally figured out that the mappings I had entered were
causing the problems, and I removed them. After that, of course,
everything started working normally again.

Now, the question...This approach is obviously not the best way to
control access to the files. Who knows a better way to do this?
 
S

S. Justin Gengo

Joey,

Here are two thoughts.

1) Save the file to a SQL Database (or Access) then retrieve and deliver the
file only to authorized users:
http://aspalliance.com/articleViewer.aspx?aId=138&pId (This link shows
how to save an image to SQL. Saving a file would be similar.)

http://aspalliance.com/articleViewer.aspx?aId=140 (This link shows how
to retrieve an image from SQL. Again a file would be similar.)

2) Another option would be to change the file extensions on each file to
..aspx extensions that would map to IIS normally thus locking users out. Then
you could use a separate page to read the file into a stream reader and
deliver it to the user. That would be done similarly to what this article
shows and in fact, this article deals with exactly what you need so you may
just follow it's instructions...

http://www.codeproject.com/aspnet/SecureFileDownload.asp

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
 
G

Guest

store the files outside the WWW path. Then use a GetFile.aspx page to check
their credentials and retrieve the file and stream it to them.
This allows you the ultimate in file access control without instituting
Windows security.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top