Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Use asp.net to protect file types

Reply
Thread Tools

Use asp.net to protect file types

 
 
lawrence
Guest
Posts: n/a
 
      10-14-2003
http://support.microsoft.com/?id=815152 (Edit the script mappings in
Internet Services Mananger to protect pdf's with aspnet)


I have a site that has multiple pdf's for download and multiple users
who will download the .pdf's. I secured the site using the above
article. I created an "admin" app that assigns users to .pdf's and I
create links to the .pdf's based on that app.

My problem is that once the user logs into the app. he has access to
all the .pdf's if he simple types the URL in the address bar. I'm not
sure the authentication "role" model with groups will work because I
would need a group for each PDF and I would need to create the groups
programmatically every time an "admin" adds a PDF to the "download"
share.

Thanks
--Dietrich
 
Reply With Quote
 
 
 
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      10-14-2003
Dietrich,

If you are following the article explicitly, any request for a PDF file
will be processed through the HttpForbiddenHandler and any attempt to hit
them will generate an error telling you that files of that type cannot be
served. From what you are saying, it seems as though this is not what you
want to do. Instead, you want to disallow hitting these files unless a
user has met some requirement such as role membership. Is that correct?

If that's the case, you should probably consider storing the PDFs outside
of your content area and then using Response.BinaryWrite to stream the file
assuming the user has permission to get it.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
http://www.velocityreviews.com/forums/(E-Mail Removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
>From: (E-Mail Removed) (lawrence)
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Subject: Use asp.net to protect file types
>Date: 14 Oct 2003 15:09:19 -0700
>Organization: http://groups.google.com
>Lines: 18
>Message-ID: <(E-Mail Removed) >
>NNTP-Posting-Host: 130.126.240.97
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1066169359 32629 127.0.0.1 (14 Oct 2003

22:09:19 GMT)
>X-Complaints-To: (E-Mail Removed)
>NNTP-Posting-Date: Tue, 14 Oct 2003 22:09:19 +0000 (UTC)
>Path:

cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed 00.sul.t-online.de!t-onlin
e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnew s1.google.com!no
t-for-mail
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7165
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>http://support.microsoft.com/?id=815152 (Edit the script mappings in
>Internet Services Mananger to protect pdf's with aspnet)
>
>
>I have a site that has multiple pdf's for download and multiple users
>who will download the .pdf's. I secured the site using the above
>article. I created an "admin" app that assigns users to .pdf's and I
>create links to the .pdf's based on that app.
>
>My problem is that once the user logs into the app. he has access to
>all the .pdf's if he simple types the URL in the address bar. I'm not
>sure the authentication "role" model with groups will work because I
>would need a group for each PDF and I would need to create the groups
>programmatically every time an "admin" adds a PDF to the "download"
>share.
>
>Thanks
>--Dietrich
>


 
Reply With Quote
 
 
 
 
Dinis Cruz
Guest
Posts: n/a
 
      10-15-2003
Hello

Please see my answer in this post
http://www.asp.net/Forums/ShowPost.a...&PostID=362002

It contains a solution for your problem

Best regards

Dinis Cruz
..Net Security Consultant
DDPlus (www.ddplus.net)

(E-Mail Removed) (lawrence) wrote in message news:<(E-Mail Removed). com>...
> http://support.microsoft.com/?id=815152 (Edit the script mappings in
> Internet Services Mananger to protect pdf's with aspnet)
>
>
> I have a site that has multiple pdf's for download and multiple users
> who will download the .pdf's. I secured the site using the above
> article. I created an "admin" app that assigns users to .pdf's and I
> create links to the .pdf's based on that app.
>
> My problem is that once the user logs into the app. he has access to
> all the .pdf's if he simple types the URL in the address bar. I'm not
> sure the authentication "role" model with groups will work because I
> would need a group for each PDF and I would need to create the groups
> programmatically every time an "admin" adds a PDF to the "download"
> share.
>
> Thanks
> --Dietrich

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can XSD simple types be derived from complex types? Soren Kuula XML 2 12-01-2005 07:51 PM
Where are ref types that are members of value types stored? Sathyaish ASP .Net 2 05-22-2005 07:32 PM
missing types in module types? Manlio Perillo Python 0 05-29-2004 06:33 AM
Boost + Python C/API: Mixing python return types with boost return types Steve Knight Python 2 10-10-2003 10:11 AM
STD types vs C++ intrinsic types Jeremy Cowles C++ 5 08-19-2003 05:33 PM



Advertisments