Reputation: 3328
Authorize & Authenticate access to static content (pdf)
I have an asp.net web app and accessible with form authentication. Inside the folder structure looks like this:-
\myapp
\document\pdf\hello1.pdf
\document\pdf\hello2.pdf
\document\pdf\hello3.pdf
\document\pdf\hello4.pdf
http://localhost/myapp/document/pdf/hello1.pdf
Now these pdf files are used in the anchor links within the app. Now i want to enforce the authentication & authorization to restrict the direct access to these static resources. If there is access from outside the app, it should go to the login page.
I cannot change the path of the files in the anchor tags because i used it at many places across the app.
Is there a way to do with web.config ?
Pls suggest some solutions.
Thanks.
Upvotes: 4
Views: 10694
Answers (4)
Reputation: 21
For .NET 2.0/3.5/4.0 and IIS6 I found that the following was necessary to force static files such as .pdf in a specific folder to be processed by .NET:
1) IIS6 configuration:
A. In the properties for the website, go to the Home Directory tab and click Configuration
B. Double-click an existing "application extension" entry (such as .ascx) and copy the path found at "Executable" (this path will vary depending on the version of .NET in use; thus it's easier to copy & paste)
C. Cancel the dialog for Add/Edit Application Extension Mapping and click "Add" to add a new extension
D. Paste the path you copied in 1B into "Executable"
E. In "Extension" put .pdf (or other file extension)
F. choose "All verbs" or "Limit to" GET, etc. as needed; un-check "verify if file exists" if not a physical file on the server
G. Click OK on all dialogs
2) web.config configuration:
A. add the location for the restricted directory or file:
<location path="your_directory">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
B. Add the following to the httpHandlers section:
<add path="*.pdf" verb="*" type="System.Web.StaticFileHandler" validate="true" />
Now .net will only serve .pdfs in your_directory to authenticated users (using forms authentication in my case).
Upvotes: 1
Reputation: 12721
You should add to web.config the following lines to restrict access to 'document' folder only to authenticated users.
Unauthenticated users will be automatically redirected to login page, as desired.
<configuration>
..........
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="TSAuthCookie" cookieless="UseCookies"
timeout="60" path="/"/>
</authentication>
<location path="document">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Upvotes: 1
Reputation: 33538
To enable web.config
<authorization> elements to affect non ASP.NET file extensions you need to enable Wildcard Script Mapping on IIS6 (applies to IIS7 if classic pipeline mode is enabled), or use the integrated pipeline mode in IIS7.
Please see http://ruslany.net/2008/09/wildcard-script-mapping-and-iis-7-integrated-pipeline/
Then web.config entries such as the following will work:
<location path="document">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Upvotes: 0
Related Questions
- secure and hide url and folder from direct download pdf in mvc5
- How do I restrict access to pdf files on my server?
- ASP.NET Directory Authentication
- How to secure a document/pdf request in MVC?
- Restrict static files access to authenticated users in ASP.Net
- Deny Access to generated PDFs ASP.net
- Is there a way to protect against unauthorized viewing of a document in a web site?
- How to prevent accessing unauthorized user to resource such as .pdf file in host?
- how to load a pdf from server as an aspx page (or loading pdf files securely)?
- .NET Forms Authentication: How to limit access to resources like pdf files to authenticated users only