Use asp.net to protect file types

Discussion in 'ASP .Net Security' started by lawrence, Oct 14, 2003.

  1. lawrence

    lawrence Guest

    http://support.microsoft.com/?id=815152 (Edit the script mappings in
    Internet Services Mananger to protect pdf's with aspnet)


    I have a site that has multiple pdf's for download and multiple users
    who will download the .pdf's. I secured the site using the above
    article. I created an "admin" app that assigns users to .pdf's and I
    create links to the .pdf's based on that app.

    My problem is that once the user logs into the app. he has access to
    all the .pdf's if he simple types the URL in the address bar. I'm not
    sure the authentication "role" model with groups will work because I
    would need a group for each PDF and I would need to create the groups
    programmatically every time an "admin" adds a PDF to the "download"
    share.

    Thanks
    --Dietrich
    lawrence, Oct 14, 2003
    #1
    1. Advertising

  2. Dietrich,

    If you are following the article explicitly, any request for a PDF file
    will be processed through the HttpForbiddenHandler and any attempt to hit
    them will generate an error telling you that files of that type cannot be
    served. From what you are saying, it seems as though this is not what you
    want to do. Instead, you want to disallow hitting these files unless a
    user has met some requirement such as role membership. Is that correct?

    If that's the case, you should probably consider storing the PDFs outside
    of your content area and then using Response.BinaryWrite to stream the file
    assuming the user has permission to get it.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: (lawrence)
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Subject: Use asp.net to protect file types
    >Date: 14 Oct 2003 15:09:19 -0700
    >Organization: http://groups.google.com
    >Lines: 18
    >Message-ID: <>
    >NNTP-Posting-Host: 130.126.240.97
    >Content-Type: text/plain; charset=ISO-8859-1
    >Content-Transfer-Encoding: 8bit
    >X-Trace: posting.google.com 1066169359 32629 127.0.0.1 (14 Oct 2003

    22:09:19 GMT)
    >X-Complaints-To:
    >NNTP-Posting-Date: Tue, 14 Oct 2003 22:09:19 +0000 (UTC)
    >Path:

    cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
    e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews1.google.com!no
    t-for-mail
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7165
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >http://support.microsoft.com/?id=815152 (Edit the script mappings in
    >Internet Services Mananger to protect pdf's with aspnet)
    >
    >
    >I have a site that has multiple pdf's for download and multiple users
    >who will download the .pdf's. I secured the site using the above
    >article. I created an "admin" app that assigns users to .pdf's and I
    >create links to the .pdf's based on that app.
    >
    >My problem is that once the user logs into the app. he has access to
    >all the .pdf's if he simple types the URL in the address bar. I'm not
    >sure the authentication "role" model with groups will work because I
    >would need a group for each PDF and I would need to create the groups
    >programmatically every time an "admin" adds a PDF to the "download"
    >share.
    >
    >Thanks
    >--Dietrich
    >
    Jim Cheshire [MSFT], Oct 14, 2003
    #2
    1. Advertising

  3. lawrence

    Dinis Cruz Guest

    Hello

    Please see my answer in this post
    http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=362002

    It contains a solution for your problem

    Best regards

    Dinis Cruz
    ..Net Security Consultant
    DDPlus (www.ddplus.net)

    (lawrence) wrote in message news:<>...
    > http://support.microsoft.com/?id=815152 (Edit the script mappings in
    > Internet Services Mananger to protect pdf's with aspnet)
    >
    >
    > I have a site that has multiple pdf's for download and multiple users
    > who will download the .pdf's. I secured the site using the above
    > article. I created an "admin" app that assigns users to .pdf's and I
    > create links to the .pdf's based on that app.
    >
    > My problem is that once the user logs into the app. he has access to
    > all the .pdf's if he simple types the URL in the address bar. I'm not
    > sure the authentication "role" model with groups will work because I
    > would need a group for each PDF and I would need to create the groups
    > programmatically every time an "admin" adds a PDF to the "download"
    > share.
    >
    > Thanks
    > --Dietrich
    Dinis Cruz, Oct 15, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MS News \(MS ILM\)
    Replies:
    1
    Views:
    420
    Scott Schluer
    Aug 19, 2003
  2. Xavier MT
    Replies:
    1
    Views:
    593
    Scott Schluer
    Aug 19, 2003
  3. Mike
    Replies:
    7
    Views:
    771
  4. rodrigo
    Replies:
    1
    Views:
    113
    rodrigo
    Aug 21, 2003
  5. Martin Franklin

    How do I use asp to protect framesets

    Martin Franklin, Jan 13, 2005, in forum: ASP General
    Replies:
    5
    Views:
    131
    Adrienne
    Jan 15, 2005
Loading...

Share This Page