Securing attachments,e.g., .pdf, .doc, .xls through web.config

Discussion in 'ASP General' started by win2kcowboy, May 25, 2005.

  1. win2kcowboy

    win2kcowboy Guest

    Using VS2003, ASP.NET 1.1

    Is it possible to secure files normally placed as attachments (such as word
    docs etc.) and often placed in attachment directories within your web
    application, using FORMS authentication and web.config and NOT using Active
    Directory/NTFS persmissions (_all_ users will come in under the ASPNET user
    account at the AD/NTFS level).

    I am familiar with the fact that placing the following few lines into
    web.config within a child directory, e.g., one of those "attachment
    directories," effectively secures the files within from the general public
    (if someone were to type the attachment URL out in an attempt to bypass the
    home page, they would be kicked back to a login page):



    <deny users="?"/>




    That is great if you have one level of security but what if your web
    application uses multiple levels of security, e.g., member, leader,
    president, etc whereby some documents are meant for one level of user but not
    the others (let alone the general public)? It seems as if the web.config
    file has "authenticated" and "not-authenticated" states only.

    I know that one can set more restrictive NTFS persmissions on the resources
    and have the user log in to some pages using integrated windows security but
    that becomes unwieldy with hundreds/thousands of users who would probably not
    manage their AD account very well anyway. I would like to stick with a
    simple FORMS based authentication native to the web application using a
    database back end.

    ASPX pages themselves can be secured programmatically:
    If Page.User.IsInRole("President") Then
    'do something like
    Message.text = "You must be a president to view this page" 'Hide content

    But what of files such as .doc, .pdf, .xls and other files often used to
    deliver substantive report content? Effectively, lower level users can bypass
    your web application security by simply typing out the URL to the file in
    question after logging in themselves.

    Is there a way for the web.config to intercept such users and kick them back
    to a login or other page?

    I know that individual users, roles, can be specified in the web.config
    "allow", "deny" statements but the accounts these statements reference are
    either Local machine or Domain (active directory) accounts not married to the
    web application.

    Thanks for any help. If someone can direct me to an article on this topic
    as well I would appreciate it.
    win2kcowboy, May 25, 2005
    1. Advertisements

  2. Ray Costanzo [MVP], May 25, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt
    Tor Iver Wilhelmsen
    Sep 17, 2004
  2. vasudevram
    Oct 27, 2006
  3. codewarrior
    May 4, 2009
  4. Peter Green
    Peter Green
    Nov 5, 2009
  5. Sebastian ¯elazny

    pdf, doc, xls

    Sebastian ¯elazny, Feb 1, 2007, in forum: Javascript

Share This Page