Role based security - file downloads

[Mesan]

I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?

 

[Guest]

You might try moving the pdf files to a folder not visible directly from your
website then have an asp.net page in a secured directory read and stream the
file directly to the browser.

ex - Getfile.aspx?filename=secrets.pdf

This way none of your files can be viewed from your website by guessing
their url, and you can verify permissions in your aspx page before you send
the file.

 

[Kevin Jones]

IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

 

[Mesan]

And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan

 

[Mesan]

I found this article:
http://www.microsoft.com/technet/community/columns/insider/iisi1005.mspx
and followed its instructions but after authenticating I get the
following error - what did I miss?

Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

What you can try:
Diagnose Connection Problems

More information

This problem can be caused by a variety of issues, including:

Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's
domain.
If this is an HTTPS (secure) address, click Tools, click Internet
Options, click Advanced, and check to be sure the SSL and TLS protocols
are enabled under the security section.

 

[Kevin Jones]

In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\config\web.config.comments
for an example), although I believe the default handler should work,

Kevin

 

[Mesan]

I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???

 

[Ray Booysen]

Well, what is happening if you step through the code? What is failing?

 

[Mesan]

AFAIK there is no code to step through, it's IIS and ASP.Net handling
the documents themselves.

 

[Ray Booysen]

You must have coded the handler?

AFAIK there is no code to step through, it's IIS and ASP.Net handling
the documents themselves.

 

[Kevin Jones]

In your web.config try adding the following

<httpHandlers>
<add path="*.pdf" werb="*" type="System.Web.StaticFileHandler"
validate="true"/>
</httpHandlers>

This works for me,

Kevin

I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???

n

 

[Mesan]

I tried that and now all forms authentication is being skipped - the
file is just being served directly.

:-(

 

[Kevin Jones]

I tried that and now all forms authentication is being skipped - the

file is just being served directly.

:-(

are you sure you;re not just getting the file from the browser cache?

Try clearing the cache in explorer and then try again,

Kevin

Mesan wrote: