How to secure access to SWF file using ASP.NET?

Question

We have a swf file that we want to secure and make available only to authorized users.

I embedded the file in an aspx page and that works fine, since ASP.NET handles the aspx page, I can use ASP.NET authorization features and in the web.config restrict the access to roles="AllowedUsers" for example.

However smart users could still get to the file by accessing directly for example www.mysite/flash.swf. We want to make that kind of access secure.

Any help would be greatly appreciated!

Thanks!

Answer 1

Aristos,

You were right. Last afternoon just before I went home I tried creating a custom HTTP handler. And it worked nice. :-) Thanks for answering +1

public class CustomFlashHandler : IHttpHandler
{

public void ProcessRequest(HttpContext context)
{
  if (!context.User.Identity.IsAuthenticated)
  {
    context.Response.Redirect("Default.aspx?ReturnUrl=%2felVideo.aspx");
    context.Response.StatusCode = 401;
    return;
  }

  var url = context.Request.CurrentExecutionFilePath;

  if (string.IsNullOrEmpty(url)) return;

  HttpContext.Current.Response.ClearContent();
  HttpContext.Current.Response.ClearHeaders();
  HttpContext.Current.Response.AddHeader("Content-Disposition", string.Format("filename={0}", url));
  HttpContext.Current.Response.AddHeader("Content-Type", "application/x-shockwave-flash");
  HttpContext.Current.Response.WriteFile(url);
  HttpContext.Current.Response.End();
}

public bool IsReusable
{
  get { return false; }
}

}

Like Aristos said, you have to map ASP.NET to handle .swf files in IIS.

alt text http://www.freeimagehosting.net/uploads/30424ac60a.png

Then add the custom mapping in the application's web.config

<httpHandlers>
  <add verb="*" path="*.swf" type="XXXXX.Web.XXXXX.CustomFlashHandler" validate="false" />
</httpHandlers>

1: href=http://www.freeimagehosting.net/>http://www.freeimagehosting.net/uploads/30424ac60a.png

1: a href=http://www.freeimagehosting.net/>http://www.freeimagehosting.net/uploads/30424ac60a.png border=0 alt="Free Image Hosting">

Answer 2

I think that the most easy and fast solution is to Map this extention (.swf) to handle by asp.net.

I do not know if its works, because I do not have done that, but you can give it a try.

One other way is to place this files, somewhere hidden, or with complex name, and use an .ashx file to just read and send them. In the .ashx file you need to set the correct Response.ContentType for the flash, and just read and send the correct file.