Reading a file in my ASP.NET app

Discussion in 'ASP .Net Security' started by David Thielen, Dec 15, 2006.

  1. Hi;

    I had assumed that what I am asking here was a common request - but I am not
    finding anything on this.

    In my ASP.NET app a user can enter an xml file that we then pull in as data.
    Needless to say we don't want them able to get the
    \\hr\payroll\executive_salaries.xml - unless it is the authorized person in
    HR.

    So we require a username & password with which to access a file. For http(s)
    and ftp this is fine as you can pass an ICredentials to the XmlDocument
    resolver.

    But the files that are on a share - how should we be doing this? I don't
    want to use the rights of the user running the app as it will allow too much
    for some users and not enough for others.

    Or am I totally missing something here?

    ???

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
    David Thielen, Dec 15, 2006
    #1
    1. Advertising

  2. Hello Dave,

    I've also found you post this question in some other threads and Walter and
    Peter has worked with you there. For your scenario, do you mean there is
    some protected file in your internal fileshare, and in your ASP.NET web
    application, you'll render out these files to client user based on their
    authentication identity, correct?

    If this is the case, why don't you use forms authentication to authenticate
    the user and use custom role to identify whether the authenticated user has
    sufficient permission to access the files on the remote share. And for your
    ASP.NET web application, you can always using a fixed account to access the
    file share to read the files and flush the content to client. Do you think
    this is workable in your scenario?

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Dec 18, 2006
    #2
    1. Advertising

  3. Thanks for your reply Dave,

    If the users are in the same domain with the webserver and file server, we
    can programmatically impersonate our application to run under that account
    and access the file share. However, if they're not in the same domain or
    trusted domain, impersonate won't work and we will unable to act as the
    client user(with username password) and access the remote share. For the
    limited scenario, you may consider use a trusted account to retrieve the
    resource(and need to check whether the account has permission in your own
    code logic)

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Dec 19, 2006
    #3
  4. Hi Dave,

    Yes, use net use is one means to link a remote share with user credentials
    valid on remote machine. However, it is not quite good to be used
    programmaticaly in concurrent environment(multi-threading application) as
    you said.

    Are your web application's client users/machines in the same intranet
    environment or do they have direct network access to the remote directory.
    If so, I recommend that your web application directly redirect them to the
    remote share so that their security authentication won't need to be
    transferreed through the webserver. Elsewise, you will still limit to the
    custom file access authroization approach(with a fixed account to access
    the remote share).

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Dec 21, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. NGM
    Replies:
    0
    Views:
    2,283
  2. Dave Diehl
    Replies:
    4
    Views:
    783
    Dave Diehl
    Aug 11, 2004
  3. Rico
    Replies:
    0
    Views:
    395
  4. Headless Rider

    Control asp.net app from other asp.net app

    Headless Rider, Aug 18, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    88
    Headless Rider
    Aug 18, 2003
  5. JeffQ888
    Replies:
    0
    Views:
    171
    JeffQ888
    May 23, 2006
Loading...

Share This Page