Using VS2003, ASP.NET 1.1
Is it possible to secure files normally placed as attachments (such as word
docs etc.) and often placed in attachment directories within your web
application, using FORMS authentication and web.config and NOT using Active
Directory/NTFS persmissions (_all_ users will come in under the ASPNET user
account at the AD/NTFS level).
I am familiar with the fact that placing the following few lines into
web.config within a child directory, e.g., one of those "attachment
directories," effectively secures the files within from the general public
(if someone were to type the attachment URL out in an attempt to bypass the
home page, they would be kicked back to a login page):
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>.
That is great if you have one level of security but what if your web
application uses multiple levels of security, e.g., member, leader,
president, etc whereby some documents are meant for one level of user but not
the others (let alone the general public)? It seems as if the web.config
file has "authenticated" and "not-authenticated" states only.
I know that one can set more restrictive NTFS persmissions on the resources
and have the user log in to some pages using integrated windows security but
that becomes unwieldy with hundreds/thousands of users who would probably not
manage their AD account very well anyway. I would like to stick with a
simple FORMS based authentication native to the web application using a
database back end.
ASPX pages themselves can be secured programmatically:
If Page.User.IsInRole("President") Then
'do something like
else
Message.text = "You must be a president to view this page" 'Hide content
fields.
But what of files such as .doc, .pdf, .xls and other files often used to
deliver substantive report content? Effectively, lower level users can bypass
your web application security by simply typing out the URL to the file in
question after logging in themselves.
Is there a way for the web.config to intercept such users and kick them back
to a login or other page?
I know that individual users, roles, can be specified in the web.config
"allow", "deny" statements but the accounts these statements reference are
either Local machine or Domain (active directory) accounts not married to the
web application.
Thanks for any help. If someone can direct me to an article on this topic
as well I would appreciate it.
Similar Threads
