Hi,
I have an application where I want to store reports (.pdf, .doc) in a
reports subdirectory. Within the reports subdirectory, I am creating other
subdirectories (with a job number) where I store the reports for a job. I
can access the reports fine through my application.
However, if I save the link to a report, I can open it without logging into
the application, which would be a security issue.
How can I get forms authentication to protect these reports from anonymous
access?
The web.config file protects any access to the .aspx files in the root
directory, and there are no extra web.config files in the subdirectories, so
I don't see why the subdirectories aren't protected also.
Thanks for your help.
3  1153 
Forms auth only protects access to .aspx file not .doc, .pdf, .html etc.
files. These might help: http://www.wwwcoder.com/main/Default...5&parentid=177 (See File Storage methods) http://aspnet.4guysfromrolla.com/articles/020404-1.aspx http://msdn.microsoft.com/msdnmag/issues/02/05/ASPSec2/ (See Caveat..)
"Gerhard" wrote: Hi,
I have an application where I want to store reports (.pdf, .doc) in a
reports subdirectory. Within the reports subdirectory, I am creating other
subdirectories (with a job number) where I store the reports for a job. I
can access the reports fine through my application.
However, if I save the link to a report, I can open it without logging into
the application, which would be a security issue.
How can I get forms authentication to protect these reports from anonymous
access?
The web.config file protects any access to the .aspx files in the root
directory, and there are no extra web.config files in the subdirectories, so
I don't see why the subdirectories aren't protected also.
Thanks for your help.
You can also enter IIS mappings to tell it that asp.net will handle
these certain file types. Beware, though. Certain file types like PDF
may have "issues" with this, so be sure to test afterwards.
Do a search for specific examples.
If you don't want to change the default settings of IIS to map .pdf and .doc
extensions to ASP.NET, you should probably create a dynamic page (.aspx) or
better, and HTTP Handler (.ashx or .axd)
witch can return the document with a Response.Binary Write method.
--
Daniel TIZON
MCP - MCSD.NET - MCT
- Save your documents in a directory not directly accessible with HTTP/IIS
- create an HTTPHandler witch extension is .axd or .ashx (theses extentions
are known of IIS
"Gerhard" <ac***@communit y.nospam> a écrit dans le message de news: 30************* *************** **...icrosof t.com... Hi,
I have an application where I want to store reports (.pdf, .doc) in a
reports subdirectory. Within the reports subdirectory, I am creating
other
subdirectories (with a job number) where I store the reports for a job. I
can access the reports fine through my application.
However, if I save the link to a report, I can open it without logging
into
the application, which would be a security issue.
How can I get forms authentication to protect these reports from anonymous
access?
The web.config file protects any access to the .aspx files in the root
directory, and there are no extra web.config files in the subdirectories,
so
I don't see why the subdirectories aren't protected also.
Thanks for your help. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Stephen Poley |
last post by:
I'm trying to understand sessions and authentication.
I gathered that the only way of preserving data across script
invocations was to use a session. However I note that
$_SERVER and $_SERVER are also preserved
across invocations and even from one script to another. How does this
work? (Are they repeatedly sent from the browser every time?...
|
by: Michael Foord |
last post by:
#!/usr/bin/python -u
# 15-09-04
# v1.0.0
# auth_example.py
# A simple script manually demonstrating basic authentication.
# Copyright Michael Foord
# Free to use, modify and relicense.
# No warranty express or implied for the accuracy, fitness to purpose
|
by: Dave |
last post by:
Hi,
I am creating a web application which have two different login areas. One
for members and one for administrators. Currently, I am using forms
authentication to validate the login for administrators as shown below. This
works perfectly fine but I now need to add another login authentication for
members which redirects them to a different...
|
by: Vince C. |
last post by:
Hi.
I've created a web application that requires authentication on all pages. One of
my pages is an ASP script that runs in a modal web dialog. It has a form to
upload a file. To prevent a new window from being spawned I've put an IFRAME as
the target of the form submission:
<form action="Image.asp" method="post"...
|
by: Peter Chant |
last post by:
I'm currently authenticating a site I have built using basic http
authentication built into apache. This has zero overhead on php which is a
bonus but it seems to not quite work how I'd like.
Are the username and password in the login box that comes up encrypted?
When I login https://mysite.local:portnum I get the login dialog. As I am...
| | |
by: Lior Amar |
last post by:
Hey All,
Trying to understand why I can not get SQL server to trust my IIS server. I
have two machines set up, 1 App and 1 DB, and I'm trying to validate the
applications access to the DB server via NT Authentication. The App comes in
via NTLM which from my understanding only supports Single hop security
delegation. So far I understand why...
|
by: Kris van der Mast |
last post by:
Hi,
I've created a little site for my sports club. In the root folder there are
pages that are viewable by every anonymous user but at a certain subfolder
my administration pages should be protected by forms authentication.
When I create forms authentication at root level it works but when I move my
code up to the subfolder I get this...
|
by: Lewis Edward Moten III |
last post by:
I have a file that users can download through a web page protected by
forms authentication:
Download.aspx?ID=45
and within that file ...
FileInfo fileToDownload = new FileInfo(fileName);
|
by: Brian Shannon |
last post by:
I have an intranet site I created when I first began .NET and it is very
basic. Now that I have developed my skills I am looking to revamp the old
with something new. I really like the idea of using forms authentication.
My problem is with assigning roles. The documents I have read talks about
assigning roles in the web.config file. This...
|
by: Miguel Dias Moura |
last post by:
Hello,
I am working on an Asp.Net 2.0 / SQL 2005 web project where:
1. All users must login.
2. There will be two user types: student and professor.
The students and professors are not related.
IMPORTANT:
All students and professors will have a name, phone, ...
However, other information is specific to a user type.
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it. ...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
