Authentication for documents

[Guest]

Hi,

I have an application where I want to store reports (.pdf, .doc) in a
reports subdirectory. Within the reports subdirectory, I am creating other
subdirectories (with a job number) where I store the reports for a job. I
can access the reports fine through my application.

However, if I save the link to a report, I can open it without logging into
the application, which would be a security issue.

How can I get forms authentication to protect these reports from anonymous
access?

The web.config file protects any access to the .aspx files in the root
directory, and there are no extra web.config files in the subdirectories, so
I don't see why the subdirectories aren't protected also.

Thanks for your help.

 

[Guest]

Forms auth only protects access to .aspx file not .doc, .pdf, .html etc.
files. These might help:

http://www.wwwcoder.com/main/Default.aspx?tabid=68&mid=407&site=1795&parentid=177 (See File Storage methods)

http://aspnet.4guysfromrolla.com/articles/020404-1.aspx

http://msdn.microsoft.com/msdnmag/issues/02/05/ASPSec2/ (See Caveat..)

 

[Joey]

You can also enter IIS mappings to tell it that asp.net will handle
these certain file types. Beware, though. Certain file types like PDF
may have "issues" with this, so be sure to test afterwards.

Do a search for specific examples.

 

[Daniel TIZON]

If you don't want to change the default settings of IIS to map .pdf and .doc
extensions to ASP.NET, you should probably create a dynamic page (.aspx) or
better, and HTTP Handler (.ashx or .axd)
witch can return the document with a Response.BinaryWrite method.

--
Daniel TIZON
MCP - MCSD.NET - MCT


- Save your documents in a directory not directly accessible with HTTP/IIS
- create an HTTPHandler witch extension is .axd or .ashx (theses extentions
are known of IIS