how to allow download access to specific folder only in App_Data asp.net mvc

Question

I have this in my web.config:

<system.webServer>
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="UserFiles"/>
        </hiddenSegments>
      </requestFiltering>
    </security>
</system.webServer>

I think I am going about this the wrong way, but I can't seem to find the right way to google this. I want to grant download access to only that folder 'UserFiles'. I need to do this via the web.config since the live environment will be on Azure, so I will not have a machine to RDP into to change this is IIS.

Answer 1

First, if you are using Azure web role and not Azure Websites, you should be storing this stuff in a blob. Second, are these files needing to be secured so that only authenticated users can access them (or even users can only access their own files?).

Lets assume that anyone can download any file from the server. If that is the case, create a directory called UserFiles underneath content. Now, you can simply link to those files like so

<a href="@Url.Content("~\Content\UserFiles\filename.ext")">MY File title</a>

Now, if they are secured behind an authentication scheme, things get tricky. You don't want just anyone to be able to download those items. So, lets take a few steps to secure them.

1.Create a folder called UserFiles at the top level of your solution.

2.In your web.config, let's make it to where no one can access it

 <system.webServer>
<security>
  <requestFiltering>
    <hiddenSegments>
      <add segment="UserFiles"/>
    </hiddenSegments>
  </requestFiltering>
</security>

3.Create a MVC controller, lets call it files, that you actually will use to deliver the files to the user. In here, let's make an action called download that takes in a file Id (assuming you are storing file information in the database)

public FileResult Download(int id){
   //perform logic to see if user has access to this file
   //if access, return the file
   //else return a 404
}

Now, your file download link will look like

@Html.ActionLink("My File Title", "Download", "Files", new{id = Model.Id})

MVC and your code will have access to the UserData folder, while an outside web user will not. Use the controller/action to gate your content

Answer 2

Files in App_Data will not be served to the end user, by design.

App_Data is used to store data files. From the MSDN:

App_Data contains application data files including .mdf database files, XML files, and other data store files. The App_Data folder is used by ASP.NET to store an application's local database.

The content of application folders... is not served in response to Web requests, but it can be accessed from application code.

It would be pretty bad if people could download stuff, like your database, out of App_Data.

You'll need to move the UserFiles folder outside of App_Data.