Protect file with different extension from .aspx

Discussion in 'ASP .Net Security' started by Alessandro Zucchi, Mar 24, 2005.

  1. Hi,
    I'm developing an asp.net application. I'm using form authentication.
    All runs with page aspx, but when I try to connect to a protected file
    diverse to an aspx (such as a PDF file) and I'm not authenticated , the
    application download the file instead of redirect to the predefined login
    page.
    Anyone can help me ?

    Best regards
    alex
     
    Alessandro Zucchi, Mar 24, 2005
    #1
    1. Advertising

  2. Alessandro Zucchi

    Teemu Keiski Guest

    Hi,

    see this blog post

    Protect PDF, DOC and other file types with Forms Authentication
    http://dotnetjunkies.com/WebLog/richard.dudley/archive/2004/05/21/14215.aspx

    --
    Teemu Keiski
    ASP.NET MVP, AspInsider
    Finland, EU

    "Alessandro Zucchi" <> wrote in
    message news:...
    > Hi,
    > I'm developing an asp.net application. I'm using form authentication.
    > All runs with page aspx, but when I try to connect to a protected file
    > diverse to an aspx (such as a PDF file) and I'm not authenticated , the
    > application download the file instead of redirect to the predefined login
    > page.
    > Anyone can help me ?
    >
    > Best regards
    > alex
    >
     
    Teemu Keiski, Mar 24, 2005
    #2
    1. Advertising

  3. Hello!

    I have the same problem!! I already have tested the 'ISAPI ASP.NET
    Filter Redirection' for .htm and .html files and it works fine!!

    But what i can do for .pdf files? I want that user can read this files
    directly in the internet explorer window without need to download them...

    Any Idea?

    Thank you in advance.

    Best Regards,
    Juan Antonio

    gabe garza escribió:
    > Create an ASPX page that'll download the file to the user.
    > Example. http://www.servername.com/getfile.aspx?filename=3928393293
    >
    > Now you can still use form authentication.
    >
    > Make sure in getfile.aspx to set your Content-Type and Content-Disposition
    > properly.
    >
    > I did a similar thing for a client that wanted images sent from an AS/400
    > computer to be displayed in a client browser, but only if a valid user was
    > logged into the system.
    > I also made sure that 3928393293 was only valid for the user that requested
    > the image and that 3928393293 could only be used once. Some users bookmarked
    > the URL but the client didn't want that.
    >
    >
    > "Alessandro Zucchi" <> wrote in
    > message news:...
    >
    >>Hi,
    >>I'm developing an asp.net application. I'm using form authentication.
    >>All runs with page aspx, but when I try to connect to a protected file
    >>diverse to an aspx (such as a PDF file) and I'm not authenticated , the
    >>application download the file instead of redirect to the predefined login
    >>page.
    >>Anyone can help me ?
    >>
    >>Best regards
    >>alex
    >>
    >>

    >
    >
    >
     
    Juan Antonio Tubío, Mar 30, 2005
    #3
  4. I think that the best solution is a 'mixed authentication' between
    'windows authentication' and 'forms authentication'. Setup 'Windows
    Authentication' to protect a full folder (automatically for all file
    types) and when the user try to access them, show a login form (can
    check the user in a custom database) and 'internally' do a 'Windows
    Login' with a Windows User.

    But i don't know hot to do it..

    gabe garza escribió:
    > Create an ASPX page that'll download the file to the user.
    > Example. http://www.servername.com/getfile.aspx?filename=3928393293
    >
    > Now you can still use form authentication.
    >
    > Make sure in getfile.aspx to set your Content-Type and Content-Disposition
    > properly.
    >
    > I did a similar thing for a client that wanted images sent from an AS/400
    > computer to be displayed in a client browser, but only if a valid user was
    > logged into the system.
    > I also made sure that 3928393293 was only valid for the user that requested
    > the image and that 3928393293 could only be used once. Some users bookmarked
    > the URL but the client didn't want that.
    >
    >
    > "Alessandro Zucchi" <> wrote in
    > message news:...
    >
    >>Hi,
    >>I'm developing an asp.net application. I'm using form authentication.
    >>All runs with page aspx, but when I try to connect to a protected file
    >>diverse to an aspx (such as a PDF file) and I'm not authenticated , the
    >>application download the file instead of redirect to the predefined login
    >>page.
    >>Anyone can help me ?
    >>
    >>Best regards
    >>alex
    >>
    >>

    >
    >
    >
     
    Juan Antonio Tubío, Mar 30, 2005
    #4
  5. Alessandro Zucchi

    gabe garza Guest

    Juan,

    Technically the PDF file has to be sent to the client browser so matter
    what, it's still "downloading" no matter how you look at it.

    Just make sure to set the Content-Type and Content-Disposition properly in a
    "getfile.aspx" or what every you named the aspx file.
    The PDF file, if the client has installed Acrobat Reader, will display the
    PDF in IE, Firefox, Safari, etc...
    If a client hasn't installed Acrobat Reader then they'll get a "Open", "Save
    As" dialog box.

    Gabe


    "Juan Antonio Tubío" <> wrote in message
    news:...
    > Hello!
    >
    > I have the same problem!! I already have tested the 'ISAPI ASP.NET Filter
    > Redirection' for .htm and .html files and it works fine!!
    >
    > But what i can do for .pdf files? I want that user can read this files
    > directly in the internet explorer window without need to download them...
    >
    > Any Idea?
    >
    > Thank you in advance.
    >
    > Best Regards,
    > Juan Antonio
    >
    > gabe garza escribió:
    >> Create an ASPX page that'll download the file to the user.
    >> Example. http://www.servername.com/getfile.aspx?filename=3928393293
    >>
    >> Now you can still use form authentication.
    >>
    >> Make sure in getfile.aspx to set your Content-Type and
    >> Content-Disposition properly.
    >>
    >> I did a similar thing for a client that wanted images sent from an AS/400
    >> computer to be displayed in a client browser, but only if a valid user
    >> was logged into the system.
    >> I also made sure that 3928393293 was only valid for the user that
    >> requested the image and that 3928393293 could only be used once. Some
    >> users bookmarked the URL but the client didn't want that.
    >>
    >>
    >> "Alessandro Zucchi" <> wrote in
    >> message news:...
    >>
    >>>Hi,
    >>>I'm developing an asp.net application. I'm using form authentication.
    >>>All runs with page aspx, but when I try to connect to a protected file
    >>>diverse to an aspx (such as a PDF file) and I'm not authenticated , the
    >>>application download the file instead of redirect to the predefined login
    >>>page.
    >>>Anyone can help me ?
    >>>
    >>>Best regards
    >>>alex
    >>>
    >>>

    >>
    >>
    >>

    >
     
    gabe garza, Apr 8, 2005
    #5
  6. Alessandro Zucchi

    Yahoo Guest

    There are two main ways to accomplish this...

    1) have asp.net protect the file
    2) have windows ntsf protect the file

    For 1).
    You need to have IIS send the requested file to ASP.NET. To accomplish this
    go into IIS application virtual directory->Home Directory->Mappings.
    Edit/Add the .pdf to the asp.net frameworks executable path (see .aspx).
    Uncheck check file exists. Now asp.net will now receive the request. From
    here you might want to implement a httpHandler and stream the file out.

    For 2).
    Create a new role in windows called 'pdfer' or whatever. Set all prfs to be
    read by this role (and sysem admin and so forth) but not iusr_xxx. When
    doing form authentication, set the identity of this user to also include
    this role.

    Hope that helps
    Joe

    "Alessandro Zucchi" <> wrote in
    message news:...
    > Hi,
    > I'm developing an asp.net application. I'm using form authentication.
    > All runs with page aspx, but when I try to connect to a protected file
    > diverse to an aspx (such as a PDF file) and I'm not authenticated , the
    > application download the file instead of redirect to the predefined login
    > page.
    > Anyone can help me ?
    >
    > Best regards
    > alex
    >
    >
     
    Yahoo, Apr 12, 2005
    #6
  7. Hello:

    The first option i think is the best, but i don't have developped
    never a httpHandler, ¿you know any page with a sample?

    For the second option, i think it's too a good solution but if the
    user write in the browser directly the link for the pdf file, the
    broser show a 'Windows Authentication' form, i don't know how to avoid
    this!!

    Thank you Joe, you have put me in the good way.

    On Mon, 11 Apr 2005 23:51:44 GMT, "Yahoo"
    <> wrote:

    >There are two main ways to accomplish this...
    >
    >1) have asp.net protect the file
    >2) have windows ntsf protect the file
    >
    >For 1).
    >You need to have IIS send the requested file to ASP.NET. To accomplish this
    >go into IIS application virtual directory->Home Directory->Mappings.
    >Edit/Add the .pdf to the asp.net frameworks executable path (see .aspx).
    >Uncheck check file exists. Now asp.net will now receive the request. From
    >here you might want to implement a httpHandler and stream the file out.
    >
    >For 2).
    >Create a new role in windows called 'pdfer' or whatever. Set all prfs to be
    >read by this role (and sysem admin and so forth) but not iusr_xxx. When
    >doing form authentication, set the identity of this user to also include
    >this role.
    >
    >Hope that helps
    >Joe
    >
    >"Alessandro Zucchi" <> wrote in
    >message news:...
    >> Hi,
    >> I'm developing an asp.net application. I'm using form authentication.
    >> All runs with page aspx, but when I try to connect to a protected file
    >> diverse to an aspx (such as a PDF file) and I'm not authenticated , the
    >> application download the file instead of redirect to the predefined login
    >> page.
    >> Anyone can help me ?
    >>
    >> Best regards
    >> alex
    >>
    >>

    >
     
    Juan Antonio Tubio, Apr 12, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Rilling
    Replies:
    1
    Views:
    623
    John Saunders
    Jun 7, 2004
  2. MadHatter51
    Replies:
    1
    Views:
    887
    Hakan Lambracht
    May 17, 2006
  3. Christian Seberino
    Replies:
    3
    Views:
    1,198
    Christian Seberino
    Feb 5, 2004
  4. Steve
    Replies:
    3
    Views:
    27,025
    Steve
    Aug 25, 2006
  5. Detlef Reichl
    Replies:
    1
    Views:
    113
    Tim Hunter
    Jul 29, 2007
Loading...

Share This Page