Directory Security

[Craig]

Hi

I'm using forms authenication to security my site. I have a sub-directory
which contains some .pdf, .xsl, .html and .doc files. If a user is
authenicated, then they are allowed access to the files in the sub-directory.
Here's what I placed in web.config:

<location path="Documents">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

If the user types in the url http://host/website/documents, they receive a
403 - Forbidden error which is fine. However if they type in the url
http://host/website/documents/excel.xls they are prompted to save or open the
file.

In IIS the virtual directory has read permissions checked, for directory
security only Anonymous access is allowed.

How can I prevent files from being accessed from the web without the user
being authenicated?

Many thanks

Craig

 

[Dominick Baier [DevelopMentor]]

Hello Craig,

you have to route those extensions to the ASP.NET runtime, otherwise your
web.config settings will never be evaluated and the files are directly served
by IIS

Read more here:
http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx

most of the information also applies to 1.1

 

[Craig]

Hi Dominick

Just what I was looking for, thanks.

In my case, I would have something like the following:
<add verb="*" path="/Documents/*.doc" type="System.Web.HttpForbiddenHandler"
validate="true"/>

Preventing *.doc files being accessed from the sub-directory Documents.

The reason I ask, is I've been experimenting with the path attribute and I
can still access the file that should be forbidden.

Craig

 

[Dominick Baier [DevelopMentor]]

Hello Craig,

try it whithout the trailing slash.

btw - there is a follow up article that shows a better handler - maybe read
that before you proceed
http://www.leastprivilege.com/MoreOnProtectingStaticResourcesWithASPNET20.aspx

 

[Dominick Baier [DevelopMentor]]

Hello Craig,

sorry - i meant the leading slash

In my case, I would have something like the following:
<add verb="*" path="Documents/*.doc"
type="System.Web.HttpForbiddenHandler"
validate="true"/>

 

[Craig]

Hi Dominick

Here's what I have done and what I think I need to do:

In my virtual directory configuration I've added .pdf, .xls and .doc as
application mappings to the ASP.NET ISAPI filter, verbs ALL.

My web.config look like this:

<location path="Documents">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

<system.web>
<httpHandlers>
<add verb="*" path="*.doc" type="System.Web.HttpForbiddenHandler"
validate="false"/>
<add verb="*" path="*.pdf" type="System.Web.HttpForbiddenHandler"
validate="false"/>
<add verb="*" path="*.xls" type="System.Web.HttpForbiddenHandler"
validate="false"/>
</httpHandlers>

<authentication mode="Forms">
<forms loginUrl="login.aspx" name="FORMSAUTHCOOKIE">
<credentials passwordFormat="Clear"> <!-- test only -->
<user name="craig" password="1234" />
</credentials>
</forms>
</authentication>
</system.web>

When I type: http://host/webapp/documents I get the forbidden access, when
I type http://host/webapp/documents/file.pdf the pdf file loads. This
happens without the user logging in. If I type
http://host/webapp/documents/file.xls I get forbidden access exception. This
occurs regardless of my signing in.

Is anything I'm doing wrong? Or do I need to write my own HttpHandler to do
this?

Craig

 

[Dominick Baier [DevelopMentor]]

Hello Craig,

the .xls behaviour is intended - pdf not - make sure your script mappings
in IIS are correct.

 

[Craig]

Hi Dominick

I double checked my pdf scrip mapping in IIS, other than the .pdf extension
it was the same as my .xls entry.

I managed to get the desired outcome implementing IHttpHandler to intercept
the request; I redirect the call to Login.aspx if the user is not
authenicated, otherwise stream the file to the browser through
Response.OutputStream.

Hopefully this is the best approach to take in the v1.1 Framework.

Craig