I am using ASP.Net MVC. I have restricted access to the web site using ASP Forms authentication. However, the web pages contain links to pdf files on the server which I also want protected.
For example, the user can browse to foo.com and foo.com/account/logon. Once they logon they can access foo.com/category/bar which presents the view in bar.aspx. On that view is a link to foo.com/files/theta.pdf which loads up in the browser just fine. However, I don’t want foo.com/files/theta.pdf accessible from the browser unless the user has authenticated.
How do I prevent a user from accessing foo.com/files/theta.pdf directly from their browser without first authenticating at foo.com/account/logon?
Pass the request through a controller, and return a FileResult. You can apply whatever security you want to the controller method, either by using the Authorize attribute, or by checking permissions inside the controller method.
There is an example of such code at this question, which illustrates how to return an image file. Just return your pdf instead of the image file, and use application/pdf as the MIME type.
If you want to restrict all access to the /files directory you could simply use a location element in your web.config to restrict access.
E.g.
<location path="~/files">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
I should add that I agree with Robert and Rob for advanced security, but if you just want a simple solution this should do the trick. :-)
HTHs,
Charles
Use FileResult, which I believe is a built-in ActionResult. This will send back binary data that you can have all kinds of authorization around:
http://msdn.microsoft.com/en-us/library/system.web.mvc.fileresult.aspx
If you used ASP.NET Core you can using Resource-based authorization
Authorization strategy depends upon the resource being accessed. Consider a document that has an author property. Only the author is allowed to update the document. Consequently, the document must be retrieved from the data store before authorization evaluation can occur.
Related
how to handle request when user directly enters html content in URL.
I want to redirect to Error page when user enters html tag in URL is that possible in MVC.
I have tried from BeginExecute event of by creating override method.
Please give some suggestion.
Thanks.
meybe can use RouteHandler for when a user needs to redirect to any
external page, shorten long URLs, or make URLs more user friendly.
please check my answer
Error handling ASP.NET MVC
You can always choose CustomErrorMode="On" in web.config and configure with your error controller
Custom Error Mode will help you to redirect any invalid or malicious link or content to redirect it to your errorcontroller and handle it the way you want.
You can use Request validation for do it. It prevents to accept un-encoded HTML/XML etc from Client to server. It validates all the data that is passed from client to server. To use this feature , you must set requestValidationMode as 4.5 in web.config like:
<httpruntime requestvalidationmode="4.5" />
For more information please see this article.
Is it possible to use ASP.NETs session state with URL like
http://myserver/somesite?sessionKey=thekey
The problem is, that I have to write a site for a client software which authenticates a user by a request like
http://myserver/somesite?user=xyz&passwd=xyz
The client expects than to get a session key as result if the authentication was successful.
This session key will then be used as variable in the query as shown above. The client does not support cookies.
How can I implement this behavior by using ASP.NET MVC 4?
P.S.: I know it is absolutly not the way to go but I am not in position to change the client.
If I do understand you correctly, you could just try it, right?
(We already met it, and it was a pain for searching engines)
<sessionState mode="InProc" timeout="5" cookieless="true" />
And I can say it is working
The url generated instead of
"http://server/Product/en-GB/MyEntity"
is now:
"http://server/Product/(S(rxavnpuw05o3fmy3tjnuystr))/en-GB/MyEntity"
We're in a period of moving all our applications to sub-domains of the same primary domain.
Once this is done we aim to move our entire set up to a Single Sign-On system. Currently, we use Forms authentication and set a cookie containing an encrypted token when the user is successfully logged in.
When it comes to setting this up for SSO - is it simply a matter of changing the domain to which the session cookie(s) are set? Or are there other matters that need addressing for this to work.
Set the Machine key in the system.web section of your we.config's to the same value, get that from your IIS config:
<machineKey validationKey="<from IIS>" decryptionKey="<from IIS>"
validation="SHA1" decryption="3DES" />
Then all the sites will see the cookie as valid. The domain names in your section should be subdomains, I think. Well, it works when they are subdomains, don't know what it will do if the actual domain names are different.
I have forms authentication on my MVC site and the default route is set to send users to /home/index. Home/index is excluded from the login requirement, via a Web.config location section. if I type in http://Example/home/index, I go to the home page as expected, but if I just do http://Example, I get redirected to the logon page.
If I turn off authentication and do http://Example, the default route works fine, and I'm sent to the home page.
Why is authentication not respecting the default route? Thanks!
You shouldn't be using the <location> element in web.config to handle authorization in an ASP.NET MVC application as it might clash with your routes. This is used in standard WebForms applications but it is considered bad practice in MVC.
The recommended way to handle this is to decorate your controllers/actions with the [AuthorizeAttribute]. So get rid of all location elements in web.config and decorate.
For me, the problem was the MachineKey. It's required to decrypt/encrypt the cookie if you are doing that (for example: a web farm). Because the app couldn't decrypt the cookie, even though it was getting passed back and forth, the app acted like the cookie wasn't even there. Adding this setting to web.config fixed it for me:
<machineKey compatibilityMode="Framework20SP2" validationKey="some_hard_coded_long_key" decryptionKey="another_hard_coded_long_key" validation="SHA1" />
See this article for more on the machinekey.
The sharepoint site doesn't allow anonymous access and uses forms authentication, however I have custom page in "_layouts/" that anonymous users need to be able to access.
I thought it would be enough to add a <location></location> tag in the web.config with the correct path that allowed anonymous access (<allow users="*" />), however, this seems to have no effect.
I figured it out, the problem was a bit deeper. The page in question was set to use a masterpage dynamically which anonymous users did not have access. Otherwise the <location></location> tag did work.