I am using ASP.Net MVC. I have restricted access to the web site using ASP Forms authentication. However, the web pages contain links to pdf files on the server which I also want protected.
For example, the user can browse to foo.com and foo.com/account/logon. Once they logon they can access foo.com/category/bar which presents the view in bar.aspx. On that view is a link to foo.com/files/theta.pdf which loads up in the browser just fine. However, I don’t want foo.com/files/theta.pdf accessible from the browser unless the user has authenticated.
How do I prevent a user from accessing foo.com/files/theta.pdf directly from their browser without first authenticating at foo.com/account/logon?
Open a file in Acrobat and choose “Tools” > “Protect.” Select whether you want to restrict editing with a password or encrypt the file with a certificate or password. Set password or security method as desired. Click “OK” and then click “Save.”
From the menu bar select File and choose Document Properties. Use keyboard shortcut (Ctrl + D) to open Document Properties. Within the 'Document Properties' dialog box, select the Security tab and choose the Add Security button. Select the security options you want to enable using the check-boxes and drop-down menus.
Open Acrobat, click on File followed by Open and then, open the desired PDF file. Click on Properties & switch to the Security tab. Now, besides the Security Method list, click on the Change Settings button. To remove all permissions from PDF, disable the Restrict editing and printing of the document.
Pass the request through a controller, and return a FileResult
. You can apply whatever security you want to the controller method, either by using the Authorize
attribute, or by checking permissions inside the controller method.
There is an example of such code at this question, which illustrates how to return an image file. Just return your pdf instead of the image file, and use application/pdf
as the MIME type.
If you want to restrict all access to the /files
directory you could simply use a location
element in your web.config
to restrict access.
E.g.
<location path="~/files">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
I should add that I agree with Robert and Rob for advanced security, but if you just want a simple solution this should do the trick. :-)
HTHs,
Charles
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With