Reputation: 1061
Secure serving of images in combination with using ImageResizer
[This is a followup / cleaned question regarding earlier discussion here with Computer Linguist, hope i specified this enough] Can ImageResizer grab files outside site root and serve them(Thus avoiding making the unaltered originals available online)? Or what is the best practise for this scenario?
*Should the originals be stored outside site root, a base-resized image be stored online(protected via url auth / httpmodule etc) and then let Imageresizer do on the fly resizing for thumbs etc based on that image? As far as ive seen i havent found a way to restrict access 100% to a folder except for when requested via imageresizer. If ImageResizer can resize, user can access it seems sofar.
*Or is perhaps a solution with a controller serving the original image then handled by ImageResizer.
The key purpose to:
Be able to customize permission rules completely
Be able to serve in a secure fashion (atleast so far as i have learned unaltered user-uploaded images should not be accessible directly under siteroot). And preserving originals seems like a future-proof strategy.
Be able to utilize the awesomeness of ImageResizer on-the-fly resizing.
Any input on how others have implemented this is appreciated as well.
Upvotes: 1
Views: 360
Answers (1)
Reputation: 16468
- Locating the files outside the site root doesn't accomplish anything. You'll still have to mount them as a virtual folder, making them accessible again.
- MVC is written in such a way that it will be absolutely useless here - it procrastinates until ProcessRequest to do anything.
- ImageResizer is quite irrelevant to this question - it behaves likes StaticFileHandler for your purposes - you need a generic authorization system.
- ASP.NET URL Authorization sounds like it may not be sophisticated enough for your desired level of complexity.
To accomplish custom authorization logic, you will need to handle the AuthorizeRequest event in the HTTP pipeline and implement your path parsing logic from scratch. You can handle the event in Global.asax.cs or by implementing IHttpModule.
In AuthorizeRequest, you can access the incoming path and querystring data before ImageResizer or any other HttpModule or HttpHandler ever sees it, decide whether or not the user should be able to access it today, and either let the request continue or throw an HTTP 401 error.
I suggest using ILSpy to look at the UrlAuthorizationModule found in System.Web.Security. It's only a couple pages of code in length, and pretty straightforward.
Upvotes: 1
Related Questions
- Can we speed up or prevent the need for AuthorizeRequest for image requests using imageresizer?
- ASP.NET MVC: how to prevent unauthenticated user to directly GET images?
- Protect Images With Image Resizer ASP.NET MVC
- Serving "private" images via a secured ChildAction
- Restrict image access, making them only accessible from within .NET web application
- Custom dynamic authorization of images using imageresizer
- How to control access to Image file path without an extra query for authorization
- Image server security asp.net HTTP Handler
- Secure and "squarified" photo uploading in ASP.NET MVC
- ASP.NET MVC - Image + Authenticated Users Only