Using forms authentication, but you can get at a file if you know the name of it.

[Mufasa]

I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to limit
the people who get to my web site by using a userid/password stored in a
database and then and only then can they get at my documents. Currently we
use NT security with one userid/password which isn't a good solution. We
have people coming and going quickly so we need a better way to do this. And
putting the users in NT just seems a pain.

Thanks for you help.

J.

 

[Peter Bradley]

Have you annotated your classes and/or methods with attributes that issue
security challenges, ensuring that users are logged in, and members of the
correct role before accessing the class/method? Something like (from msdn):

[PrincipalPermissionAttribute(SecurityAction.Demand, Name="Bob",
Role="Supervisor")]
or (from one of our applications (slightly altered to protect the
innocent)[PrincipalPermissionAttribute(SecurityAction.Demand,
Authenticated=True, Role="Supervisor")]Or you can do the same thing
programmatically using things like IsInRole().You catch any security
exceptions that get thrown as a result of these in a convenient place, like
Global.asax

HTH


Peter

 

[Page Brooks]

Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See the
following link:

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx

 

[Page Brooks]

Mufasa,
Also, in ASP.NET 2.0, you have the option of adding the following to your
httpHandlers:

<add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler"
validate="True" />

This will cause ASP.NET to process all unknown extensions through the
Authenticate and AuthorizeRequest events in the execution pipeline.
Again, I will refer you to the same URL which has more information on this:

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx

 

[Mufasa]

Thanks everybody. I got it to work.

J.

Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See
the following link:

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx