I am creating those files at runtime, and I delete them every 24 hours through a windows service. I am not sure how to control access to them until they are deleted.
Well, I was suggesting (via those articles) that you place a web.config in the folders where your loose html files are. In the .config you then configure your rules for access (authorization rules). I don't know what your rules are but if it's simply the
user needs to be authenticated (meaning, no anonymous users) then it's a simple setting like:
Now if you want more dynamic rules, then I'd suggest changing how you serve the html content to be something more dynamic (like a Controller/Action or a HTTP handler) that can enfore your authorization logic in code.
If I put the following , Users are always allowed to access, even if no one is authenticated to the website.
<system.web>
<authorization>
<allow roles="DocumentViewerRole" />
<deny users="*" />
</authorization>
</system.web>
if I put this, no one is allowed to access the documents anymore whether authenticated or
not.
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
What can I do to make the first one work right? Am I missing something? Should I put a location,
and if yes how can I make it point to all the files in the folder?
The thing to understand about the <system.web>/<authorization> feature is that it's implemented by a HTTP module from ASP.NET. So what this means is that if that HTTP module is to run then the request needs to be for an HTTP handler written in .NET. So you
can configure the ASP.NET URL Authorization module to run for all requests and not just managed handlers. But in IIS7 they added a new URL Authorization module that is implemented in IIS7 -- so in a sense there are two modules that will do this same thing
and you use different ones based upon what your host is. If you're using Cassini as your web server (for debugging) then the first link I gave you is the one you want. If you're in IIS then you want the IIS URL Authorization modulewhich is the 2nd link I provided
above. It's confusing that there are two.
So the IIS Config is under <system.webServer>/<security>/<authorization>
Let me modify my question, I don't want the user to access the htm file himself through the url. The url is embedded in the webpages of the website. Even if the user has access or rights to view a webpage, he should not have rights to access the document
through the url.
If the user looks at view source he might see a file path, and he might guess what the url for the embedded document is.
Is there a way to control that through the security tab of the folder on the webserver. Like only IIS-User and Admin_user of the windows server can access the folder?
Even though the user has rights to access a webpage, it does not mean he should have rights to access the document embedded.
Let me modify my question, I don't want the user to access the htm file himself through the url. The url is embedded in the webpages of the website. Even if the user has access or rights to view a webpage, he should not have rights to access the document
through the url.
If the user looks at view source he might see a file path, and he might guess what the url for the embedded document is.
Is there a way to control that through the security tab of the folder on the webserver. Like only IIS-User and Admin_user of the windows server can access the folder?
Even though the user has rights to access a webpage, it does not mean he should have rights to access the document embedded.
Ah that's different and is really hard to achieve. Think about it -- how are you going to tell on the server that the request is from the embedded resourse or just the user typing the URL into the browser. You're not going to achieve this without a lot of
work. You'd need to somehow serve up the files once based upon some one-use key. Also, the web isn't designed for this per-se. Think of all the web caching that occurrs on the web -- so if they enter the URL into the browser they might get the local browser
cached copy.
I guess it may not make much sense to create an http handler then. Unauthenticated users can never know the names of my files which get deleted every night by the windows service. The names are actually Guids.ToString(), and they get created at runtime.
An authenticated user can access the file in the temporary internet folder so he won't need much effort to save it to his system.
I don't know what to say, but I guess it is difficult sometimes to control things.
Do you think I could pass an html file stream as opposed to an html file path to the iframe in my View? in this way I can go ahead and delete the file after capturing a stream. If yes, do you know how?
afache
Member
203 Points
497 Posts
MVC and Security
Aug 30, 2012 04:13 PM|LINK
Hi,
I have a folder in my mvc web application that contains html files. I sometimes display those html files as embedded in some of my webpages.
I want to prevent user access to those html files in case the user types the path to any of those files in his browser.
The folder is in the same directory as my views and controller folders on the webserver.
Please advise on best practice ...
BrockAllen
All-Star
27534 Points
4907 Posts
MVP
Re: MVC and Security
Aug 30, 2012 04:17 PM|LINK
You can use traditional URL-based authorization for static files like this:
http://msdn.microsoft.com/en-us/library/wce3kxhd%28v=VS.100%29.aspx
and
http://learn.iis.net/page.aspx/142/understanding-iis-url-authorization/
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
afache
Member
203 Points
497 Posts
Re: MVC and Security
Aug 30, 2012 05:00 PM|LINK
I am creating those files at runtime, and I delete them every 24 hours through a windows service. I am not sure how to control access to them until they are deleted.
BrockAllen
All-Star
27534 Points
4907 Posts
MVP
Re: MVC and Security
Aug 30, 2012 05:15 PM|LINK
Well, I was suggesting (via those articles) that you place a web.config in the folders where your loose html files are. In the .config you then configure your rules for access (authorization rules). I don't know what your rules are but if it's simply the user needs to be authenticated (meaning, no anonymous users) then it's a simple setting like:
<authorization>
<deny users='?' />
<allow users='*' />
</authorization>
Now if you want more dynamic rules, then I'd suggest changing how you serve the html content to be something more dynamic (like a Controller/Action or a HTTP handler) that can enfore your authorization logic in code.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
afache
Member
203 Points
497 Posts
Re: MVC and Security
Aug 30, 2012 06:41 PM|LINK
If I put the following , Users are always allowed to access, even if no one is authenticated to the website.
<system.web>
<authorization>
<allow roles="DocumentViewerRole" />
<deny users="*" />
</authorization>
</system.web>
if I put this, no one is allowed to access the documents anymore whether authenticated or not.
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
What can I do to make the first one work right? Am I missing something? Should I put a location, and if yes how can I make it point to all the files in the folder?
BrockAllen
All-Star
27534 Points
4907 Posts
MVP
Re: MVC and Security
Aug 30, 2012 07:00 PM|LINK
The thing to understand about the <system.web>/<authorization> feature is that it's implemented by a HTTP module from ASP.NET. So what this means is that if that HTTP module is to run then the request needs to be for an HTTP handler written in .NET. So you can configure the ASP.NET URL Authorization module to run for all requests and not just managed handlers. But in IIS7 they added a new URL Authorization module that is implemented in IIS7 -- so in a sense there are two modules that will do this same thing and you use different ones based upon what your host is. If you're using Cassini as your web server (for debugging) then the first link I gave you is the one you want. If you're in IIS then you want the IIS URL Authorization modulewhich is the 2nd link I provided above. It's confusing that there are two.
So the IIS Config is under <system.webServer>/<security>/<authorization>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Customers" />
</authorization>
</security>
</system.webServer>
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
afache
Member
203 Points
497 Posts
Re: MVC and Security
Aug 30, 2012 07:21 PM|LINK
Let me modify my question, I don't want the user to access the htm file himself through the url. The url is embedded in the webpages of the website. Even if the user has access or rights to view a webpage, he should not have rights to access the document through the url.
If the user looks at view source he might see a file path, and he might guess what the url for the embedded document is.
Is there a way to control that through the security tab of the folder on the webserver. Like only IIS-User and Admin_user of the windows server can access the folder?
Even though the user has rights to access a webpage, it does not mean he should have rights to access the document embedded.
BrockAllen
All-Star
27534 Points
4907 Posts
MVP
Re: MVC and Security
Aug 30, 2012 08:29 PM|LINK
Ah that's different and is really hard to achieve. Think about it -- how are you going to tell on the server that the request is from the embedded resourse or just the user typing the URL into the browser. You're not going to achieve this without a lot of work. You'd need to somehow serve up the files once based upon some one-use key. Also, the web isn't designed for this per-se. Think of all the web caching that occurrs on the web -- so if they enter the URL into the browser they might get the local browser cached copy.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
afache
Member
203 Points
497 Posts
Re: MVC and Security
Aug 31, 2012 12:54 PM|LINK
I guess it may not make much sense to create an http handler then. Unauthenticated users can never know the names of my files which get deleted every night by the windows service. The names are actually Guids.ToString(), and they get created at runtime.
An authenticated user can access the file in the temporary internet folder so he won't need much effort to save it to his system.
I don't know what to say, but I guess it is difficult sometimes to control things.
Do you think I could pass an html file stream as opposed to an html file path to the iframe in my View? in this way I can go ahead and delete the file after capturing a stream. If yes, do you know how?