Last post Sep 14, 2006 07:09 PM by Crouchin9Tiger
Sep 08, 2006 03:31 PM|Crouchin9Tiger|LINK
I'm have a bit of an issue with dening access to the documents folders documents on my web server. I have an app that has a grid, in the grid you can select a document via a hyperlink and the doc will open in a new window. The problem is if the user passes
the link to someone else who hasn't been authenticated they can view the file... I used to render the document in the page so that the url wouldn't display the documents location, but I had to change the logic due to browser settings within the orginization..
So I'm wondering if there is anyway to deny a user who has not been authenticated access to a document even if they have the url sent to them by another user who has access.
Any advice would be very much appreciated.
Sep 08, 2006 05:00 PM|stiletto|LINK
You have two options:
1.) You can stream the file to the user through an aspx page that will provide your authentication check and thereby deny direct access to the file.
2.) You can set IIS to let the aspnet filter to process all files of your document type. Then your security would be enforced just like for an aspx page.
Sep 08, 2006 05:20 PM|Crouchin9Tiger|LINK
Could you give me some steps for your sencond solution?
Sep 08, 2006 06:11 PM|stiletto|LINK
In the IIS MMC plugin:
1.) Right-click on the application where you want the security and select properties.
2.) Select the Configuration button on the Directory tab.
3.) Select the .aspx extension row, click Edit at the bottom and copy the entry in the Executable textbox.
4.) Add the extensions of the documents you're allowing links to (.pdf, .doc, etc.) with the copied information from above as the Executable and GET as the Verb.
This should force everything through your website security (as long as the linked items exist inside your application.
Sep 08, 2006 06:56 PM|Crouchin9Tiger|LINK
It's dening direct access, but I'm getting denied even when I have been authenticated now.. Any thoughts?
Sep 11, 2006 04:19 PM|stiletto|LINK
Make sure the folder is part of the same app as your authentication.
How is your web.config set for the folder?
Sep 11, 2006 04:35 PM|Crouchin9Tiger|LINK
The folder I'm using for the documents is part of the app via a virtual directory. I have forms authentication set up in my web config. I deny access to everyone for the exception of the login page untill authentication has taken place.. How would I set
up folder access in my web config?
Sep 11, 2006 05:34 PM|stiletto|LINK
When you're getting denied inside your app what's happening?
If you're getting something other than redirected back to the login page, you need to reset the IIS folder security back to anonymous access.
Sep 11, 2006 05:52 PM|Crouchin9Tiger|LINK
Sep 11, 2006 05:56 PM|Crouchin9Tiger|LINK
Sorry wasn't access denied.. the error was:
You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed.
Please try the following:
Sep 12, 2006 01:19 PM|stiletto|LINK
That's definitely an error related to how rights are setup in IIS and not in your web app. I'd try removing the windows authentication.
What type of file is it that you're sending?
Sep 12, 2006 01:28 PM|Crouchin9Tiger|LINK
Sep 12, 2006 02:00 PM|stiletto|LINK
Sep 12, 2006 02:16 PM|Crouchin9Tiger|LINK
I think I do have it set up that way it appears beneath the app and the icon beside the documents folder isn't a clog like the one beside my app. Is there another way I could find this info out?
Sep 12, 2006 02:43 PM|stiletto|LINK
Sep 12, 2006 06:44 PM|Crouchin9Tiger|LINK
I have full access for domain admins, read and write for everyone. The folder is indeed part of the application.
Sep 12, 2006 07:09 PM|stiletto|LINK
What Execute permissions are set on the folder? Should be Scripts only.
Sep 12, 2006 07:22 PM|Crouchin9Tiger|LINK
Ok the execute permissions were set to none for that folder... So I set it to scripts only but now I get:
Sep 12, 2006 07:36 PM|stiletto|LINK
Sep 12, 2006 07:46 PM|Crouchin9Tiger|LINK
I don't think it is a the link generation problem. If I take out the application extension in IIS it opens up fine in a new window with the open save dialog.
Sep 13, 2006 05:35 PM|stiletto|LINK
I'm confused by this answer.
Is there a difference between accessing the document directly via URL and accessing the document within the context of your application? What are the URLs? Do both give the same error?
Sep 13, 2006 05:42 PM|Crouchin9Tiger|LINK
Sep 13, 2006 05:57 PM|stiletto|LINK
What happens if you type a direct link to the file in your browser (ex.
http://localhost/MyApp/MyDocs/TheDoc.doc) versus the link in you application to the file?
Are the links the same?
Sep 13, 2006 06:30 PM|Crouchin9Tiger|LINK
This is the direct :
This is the hyperLink:
Sep 13, 2006 07:20 PM|stiletto|LINK
Sep 13, 2006 07:52 PM|Crouchin9Tiger|LINK
Sep 14, 2006 11:52 AM|stiletto|LINK
Sep 14, 2006 01:24 PM|Crouchin9Tiger|LINK
Sep 14, 2006 03:06 PM|stiletto|LINK
Sep 14, 2006 04:09 PM|Crouchin9Tiger|LINK
Sep 14, 2006 06:15 PM|stiletto|LINK
Sep 14, 2006 07:09 PM|Crouchin9Tiger|LINK