Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I protect static files with ASP.NET form authentication on IIS 7.5?

I have a website running on a IIS 7.5 server with ASP.NET 4.0 on a shared host, but in full trust.

The site is a basic "file browser" that allows the visitors to login and have a list of files available to them displayed, and, obviously, download the files. The static files (mostly pdf files) are located in a sub folder on the site called data, e.g. http://example.com/data/...

The site uses ASP.NET form authentication.

My question is: How do I get the ASP.NET engine to handle the requests for the static files in the data folder, so that request for files are authenticated by ASP.NET, and users are not able to deep link to a file and grab files they are not allowed to have?

like image 692
Egil Hansen Avatar asked May 25 '10 09:05

Egil Hansen


People also ask

Where can you configure the security settings in forms authentication?

On the Authentication page, select Forms Authentication. In the Actions pane, click Enable to use Forms authentication with the default settings. In the Actions pane, click Edit. In the Edit Forms Authentication Settings dialog box, in the Login URL text box, type the name of the page where clients log in.

Is form authentication secure?

Examples of login and error pages are shown in Creating the Login Form and the Error Page. Form-based authentication is not particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated.

Which file is used to set authentication mode in ASP NET application?

This section demonstrates how to add and modify the <authentication> and <authorization> configuration sections to configure the ASP.NET application to use forms-based authentication. In Solution Explorer, open the Web. config file. Change the authentication mode to Forms.

Which static files can asp net core application serve?

Static files, such as HTML, CSS, images, and JavaScript, are assets an ASP.NET Core app serves directly to clients by default.


2 Answers

If you application pool is running in Integrated mode then you can do the following.

Add the following to your top level web.config.

  <system.webServer>     <modules>       <add  name="FormsAuthenticationModule"  type="System.Web.Security.FormsAuthenticationModule" />       <remove  name="UrlAuthorization" />       <add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />       <remove  name="DefaultAuthentication" />       <add  name="DefaultAuthentication"  type="System.Web.Security.DefaultAuthenticationModule" />     </modules>   </system.webServer> 

Now you can use the standard ASP.NET permissions in your web.config to force forms authentication for all files in the directory.

<system.web>     <authorization>         <deny users="?" />     </authorization>     <authentication mode="Forms" /> </system.web> 
like image 145
Joel Cunningham Avatar answered Oct 07 '22 09:10

Joel Cunningham


I had the same problem with getting roles to authenticate. Through trial and error I finally got it to work with a small edit to @Joel Cunningham's code:

<modules runAllManagedModulesForAllRequests="true" > 

I used these two sites as references: http://forums.iis.net/t/1177964.aspx and http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis-integrated-pipeline/

like image 35
Danielle Avatar answered Oct 07 '22 08:10

Danielle