Use asp.net to protect file types

[lawrence]

http://support.microsoft.com/?id=815152 (Edit the script mappings in
Internet Services Mananger to protect pdf's with aspnet)


I have a site that has multiple pdf's for download and multiple users
who will download the .pdf's. I secured the site using the above
article. I created an "admin" app that assigns users to .pdf's and I
create links to the .pdf's based on that app.

My problem is that once the user logs into the app. he has access to
all the .pdf's if he simple types the URL in the address bar. I'm not
sure the authentication "role" model with groups will work because I
would need a group for each PDF and I would need to create the groups
programmatically every time an "admin" adds a PDF to the "download"
share.

Thanks
--Dietrich

 

[Jim Cheshire [MSFT]]

Dietrich,

If you are following the article explicitly, any request for a PDF file
will be processed through the HttpForbiddenHandler and any attempt to hit
them will generate an error telling you that files of that type cannot be
served. From what you are saying, it seems as though this is not what you
want to do. Instead, you want to disallow hitting these files unless a
user has met some requirement such as role membership. Is that correct?

If that's the case, you should probably consider storing the PDFs outside
of your content area and then using Response.BinaryWrite to stream the file
assuming the user has permission to get it.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

 

[Dinis Cruz]

Hello

Please see my answer in this post
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=362002

It contains a solution for your problem

Best regards

Dinis Cruz
..Net Security Consultant
DDPlus (www.ddplus.net)