By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,282 Members | 1,494 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,282 IT Pros & Developers. It's quick & easy.

Role based security - file downloads

P: n/a
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?

Aug 22 '06 #1
Share this Question
Share on Google+
12 Replies


P: n/a
You might try moving the pdf files to a folder not visible directly from your
website then have an asp.net page in a secured directory read and stream the
file directly to the browser.

ex - Getfile.aspx?filename=secrets.pdf

This way none of your files can be viewed from your website by guessing
their url, and you can verify permissions in your aspx page before you send
the file.

"Mesan" wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?

Aug 22 '06 #2

P: n/a
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
Aug 22 '06 #3

P: n/a
And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
Aug 22 '06 #4

P: n/a
I found this article:
http://www.microsoft.com/technet/com.../iisi1005.mspx
and followed its instructions but after authenticating I get the
following error - what did I miss?

Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

What you can try:
Diagnose Connection Problems

More information

This problem can be caused by a variety of issues, including:

Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's
domain.
If this is an HTTPS (secure) address, click Tools, click Internet
Options, click Advanced, and check to be sure the SSL and TLS protocols
are enabled under the security section.
Mesan wrote:
And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
>
Aug 22 '06 #5

P: n/a
In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\conf ig\web.config.comments
for an example), although I believe the default handler should work,

Kevin

Mesan wrote:
And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
>IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
>>I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
Aug 23 '06 #6

P: n/a
I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???
Kevin Jones wrote:
In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\conf ig\web.config.comments
for an example), although I believe the default handler should work,

Kevin

Mesan wrote:
And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
Aug 23 '06 #7

P: n/a
Well, what is happening if you step through the code? What is failing?

Mesan wrote:
I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???
Kevin Jones wrote:
>In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\con fig\web.config.comments
for an example), although I believe the default handler should work,

Kevin

Mesan wrote:
>>And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
>
Aug 23 '06 #8

P: n/a
AFAIK there is no code to step through, it's IIS and ASP.Net handling
the documents themselves.
Ray Booysen wrote:
Well, what is happening if you step through the code? What is failing?

Mesan wrote:
I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???
Kevin Jones wrote:
In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\conf ig\web.config.comments
for an example), although I believe the default handler should work,

Kevin

Mesan wrote:
And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
Aug 23 '06 #9

P: n/a
You must have coded the handler?

Mesan wrote:
AFAIK there is no code to step through, it's IIS and ASP.Net handling
the documents themselves.
Ray Booysen wrote:
>Well, what is happening if you step through the code? What is failing?

Mesan wrote:
>>I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???
Kevin Jones wrote:
In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\c onfig\web.config.comments
for an example), although I believe the default handler should work,

Kevin

Mesan wrote:
And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.
>
Thanks,
Mesan
>
>
Kevin Jones wrote:
>IIS is handling the mapping so you need to change the behaviour there.
>One way to do this is in IIS map the .PDF to the ASP.Net handler then
>make sure PDFs are processed as static files by the ASP runtime,
>>
>Kevin
>>
>Mesan wrote:
>>I have a directory in an app I'm building that has access limited to
>>users within a specific role and all aspx pages in that directory are
>>unavailable just as I'd hope but other files (pdfs and whatnot) can be
>>downloaded by anyone without authenticating or anything. What does it
>>take for the use to be redirected to the login page when they try to
>>access mysite/private/secrets.pdf ?
>>>
Aug 23 '06 #10

P: n/a
In your web.config try adding the following

<httpHandlers>
<add path="*.pdf" werb="*" type="System.Web.StaticFileHandler"
validate="true"/>
</httpHandlers>

This works for me,

Kevin

Mesan wrote:
I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???
Kevin Jones wrote:
>In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\con fig\web.config.comments
for an example), although I believe the default handler should work,

Kevin

Mesan wrote:
>>And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
>
n
Aug 23 '06 #11

P: n/a
I tried that and now all forms authentication is being skipped - the
file is just being served directly.

:-(

Kevin Jones wrote:
In your web.config try adding the following

<httpHandlers>
<add path="*.pdf" werb="*" type="System.Web.StaticFileHandler"
validate="true"/>
</httpHandlers>

This works for me,

Kevin

Mesan wrote:
I sincerely appreciate your responce but I must be doing something
wrong becaust it's still not working. I wish I could paste some
screenshots to show you how I've got it set up but it's exactly how you
and the Microsoft article said to set it up -- it works great to a
point though. If an unauthenticated person requests the document they
are redirected to the loign page -- perfect. They log in and then in
IE they get the error I posted above or it Firefox the just kind of
freezes with "secret.pdf (application/pdf Object)" in the titlebar --
not perfect. I know I'm close but I'm still missing some little step
somewhere. I tried playing with the HttpHandlers in machine.config but
that just circumvented the asp.net authentication.

???
Kevin Jones wrote:
In IIS, under the properties for your website, go to the "home
directory" tab and select "configuration..." You can add the .pdf
handler there (copy the name of the executable from the .aspx handler).

In .aspx you may need to add an <httpHandler (look in
c:\windows\microsoft.net\framework\v2.0.50727\conf ig\web.config.comments
for an example), although I believe the default handler should work,

Kevin

Mesan wrote:
And just how would one "map the .pdf to the asp.net handler then make
sure PDFs are processed as static files by the ASP runtime"? I think
that's the route I want to take, I just don't know how to do it.

Thanks,
Mesan
Kevin Jones wrote:
IIS is handling the mapping so you need to change the behaviour there.
One way to do this is in IIS map the .PDF to the ASP.Net handler then
make sure PDFs are processed as static files by the ASP runtime,

Kevin

Mesan wrote:
I have a directory in an app I'm building that has access limited to
users within a specific role and all aspx pages in that directory are
unavailable just as I'd hope but other files (pdfs and whatnot) can be
downloaded by anyone without authenticating or anything. What does it
take for the use to be redirected to the login page when they try to
access mysite/private/secrets.pdf ?
n
Aug 23 '06 #12

P: n/a
I tried that and now all forms authentication is being skipped - the
file is just being served directly.

:-(

are you sure you;re not just getting the file from the browser cache?

Try clearing the cache in explorer and then try again,

Kevin

Mesan wrote:
Aug 23 '06 #13

This discussion thread is closed

Replies have been disabled for this discussion.