Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net (http://www.velocityreviews.com/forums/f29-asp-net.html)
-   -   For certain directories, protecting files from direct access that match a naming pattern OR mediating http access through my app (http://www.velocityreviews.com/forums/t525828-for-certain-directories-protecting-files-from-direct-access-that-match-a-naming-pattern-or-mediating-http-access-through-my-app.html)

Ken Fine 07-31-2007 12:49 AM

For certain directories, protecting files from direct access that match a naming pattern OR mediating http access through my app
 
Short version: I want to know how in ASP.NET I could bar direct http access
to some files in a directory that match a pattern, but not others. An
alternate solution would be to bar all direct http access to files and
require that any access of the files be mediated by my web application. In
other words, direct access via http://domain.com/app/MyCoolPhoto.jpg would
be forbidden.

Long version: I've written a photo cms and display application that has
organized many tens of thousands of files. It has made different versions of
those files, some of which I am willing to offer to the general public and
most of which I'm not:

jid20040632_pid400017_wissnerslivkachair_001_ld50. jpg
// OK to show to the world
jid20040632_pid400017_wissnerslivkachair_001_ld400 watermarked.jpg //
Also OK, it's watermarked
jid20040632_pid400017_wissnerslivkachair_001_fulls ized.jpg
// NOT OK! Keep this files matching "..._fullsized" off limits!
[multiply this by 20 other variations.]

I want to limit access to most of those variations. In some cases I imagine
I will be doing that limiting via ASP.NET 2 roles and in other cases I will
be inspecting ServerVariables that are assigned by the Pubcookie auth
framework.

Can someone suggest a server-side approach that works with ASP.NET and that
can't be easily defeated?

Thanks,
-KF



Steve C. Orr [MCSD, MVP, CSM, ASP Insider] 07-31-2007 06:49 AM

Re: For certain directories, protecting files from direct access that match a naming pattern OR mediating http access through my app
 
I've documented all you need to know on this subject here:
http://dotnetslackers.com/articles/a...ileDenial.aspx

--
I hope this helps,
Steve C. Orr,
MCSD, MVP, CSM, ASPInsider
http://SteveOrr.net



"Ken Fine" <kenfine@u.washington.edu> wrote in message
news:f8m0ue$msf$1@gnus01.u.washington.edu...
> Short version: I want to know how in ASP.NET I could bar direct http
> access to some files in a directory that match a pattern, but not others.
> An alternate solution would be to bar all direct http access to files and
> require that any access of the files be mediated by my web application. In
> other words, direct access via http://domain.com/app/MyCoolPhoto.jpg would
> be forbidden.
>
> Long version: I've written a photo cms and display application that has
> organized many tens of thousands of files. It has made different versions
> of those files, some of which I am willing to offer to the general public
> and most of which I'm not:
>
> jid20040632_pid400017_wissnerslivkachair_001_ld50. jpg // OK to show to the
> world
> jid20040632_pid400017_wissnerslivkachair_001_ld400 watermarked.jpg //
> Also OK, it's watermarked
> jid20040632_pid400017_wissnerslivkachair_001_fulls ized.jpg // NOT OK! Keep
> this files matching "..._fullsized" off limits!
> [multiply this by 20 other variations.]
>
> I want to limit access to most of those variations. In some cases I
> imagine I will be doing that limiting via ASP.NET 2 roles and in other
> cases I will be inspecting ServerVariables that are assigned by the
> Pubcookie auth framework.
>
> Can someone suggest a server-side approach that works with ASP.NET and
> that can't be easily defeated?
>
> Thanks,
> -KF
>




All times are GMT. The time now is 01:15 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.