Securing other file types (image, pdf, doc, xls, etc.) -- mapping to aspnet_isapi doesn't work

I need to secure a directory of various files (images, pdf, avi, doc, ppt, and so on) with forms authentication.   I have tried mapping the appropriate extensions to aspnet_isapi.dll, which seems to work: it won't let me download the file unless I'm logged in.

However, when I try to open the downloaded file, it's either blank (in the case of excel or doc files) or causes an error message about being damaged or corrupted (for PDF's).  It is a simple download link directly to the file.  As soon as I remove the mapping to aspnet_isapi.dll, the document works just fine.

What is going wrong, and how do I fix it???

Thanks very much for your help. 

0
Celestine
3/22/2008 12:14:07 AM
asp.net.security 27051 articles. 1 followers. Follow

4 Replies
781 Views

Similar Articles

[PageSpeed] 41

Hi! 

Other option is create a page "download.aspx" that is secured with forms authentication. This page receives the name of the file and if the user is logged then returns the file on the response (file stored in some place on the server, not reachable by users).

I don't think that you need to add all file extensions to aspnet_isapi.dll :-)


Regards,
Claudio

Simplicity: "the art of maximizing the amount of work not done."
0
crfenix
3/22/2008 3:34:30 AM

Thanks -- I need to secure the files directly without going through a download.aspx.

0
Celestine
3/24/2008 1:05:58 PM

Hi

 You can write a custom HttpHandler to handle the requests to those resource, control the access for authenticated users and process request by writing file to the output stream

Please have a look at this example on how to restrict access to a folder by httphandler  hope it helps

http://www.gridviewguy.com/ArticleDetails.aspx?articleID=196

http://msdn2.microsoft.com/en-us/library/5c67a8bd(VS.71).aspx

This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.
Best Regards
XiaoYong Dai
Microsoft Online Community Support

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
0
XiaoYong
3/25/2008 5:30:21 AM

Here is what fixed the problem for me:

  • Do not ADD the extension as a mapping to aspnet_isapi.dll.  Although there are 100 articles out there that say this is the way to do it, I'm not sure why this didn't work for me.

  • Instead,  click INSERT to add a "wildcard application map" for aspnet_isapi.dll.  I have no idea what it means.  It works for me though. 

Thanks for the suggestion about using an httphandler, this seems to be a good alternative for when you do NOT have access to IIS configuration, but in this case I have a dedicated server and I wanted to do it with IIS rather than writing additional code.

0
Celestine
3/25/2008 3:15:52 PM
Reply:

Similar Artilces:

Standard Security works but Intergrated Security doesn't
I wonder if someone could help me with my problem. (btw I did go to Internet Services and I do have integrated security enabled) If I use regular login in my ConnectionString then my page works fine but if I try to use integrated security in my ConnectionString I get an error message Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection. It seems like the server is not picking up my Network login to validate it against Integrated Security. Here is an excerpt from my page along with commented Integrated Security ConnectionString Dim...

superreview granted: [Bug 122238] input type="image" doesn't send x/y (image doesn't exist; width and height not set) : [Attachment 139545] Same as jkeiser's patch, really...
Johnny Stenback <jst@mozilla.jstenback.com> has granted Boris Zbarsky <bz-vacation@mit.edu>'s request for superreview: Bug 122238: input type="image" doesn't send x/y (image doesn't exist; width and height not set) http://bugzilla.mozilla.org/show_bug.cgi?id=122238 Attachment 139545: Same as jkeiser's patch, really... http://bugzilla.mozilla.org/attachment.cgi?id=139545&action=edit ------- Additional Comments from Johnny Stenback <jst@mozilla.jstenback.com> + if (!name.IsEmpty()) { + aFormSubmission->AddNameValuePair(thi...

superreview requested: [Bug 122238] input type="image" doesn't send x/y (image doesn't exist; width and height not set) : [Attachment 139545] Same as jkeiser's patch, really...
Boris Zbarsky <bz-vacation@mit.edu> has asked Johnny Stenback <jst@mozilla.jstenback.com> for superreview: Bug 122238: input type="image" doesn't send x/y (image doesn't exist; width and height not set) http://bugzilla.mozilla.org/show_bug.cgi?id=122238 Attachment 139545: Same as jkeiser's patch, really... http://bugzilla.mozilla.org/attachment.cgi?id=139545&action=edit ...

Installation 'Sybase DataWindow PS' printer on W98 doesn't work (so PDF export can't work either)
I have a problem with export DataWindow content to PDF on W98 systems. (I don't have any problem with PDF export on other systems like as WINNT, W2K, WXP). I found out that the problem is in the Sybase DataWindow PS printer. It looks like installed but it DOESN'T WORK on W98. When I try print something on this printer then no PostScript file is created. So I tried manual installation of it but it occurs an error during manual installation (I used description of instalation from Bruce Armstrong). The error said that printer driver (PSCRIPT.DLL) can't be loaded. I use...

File upload doesn't work with some file types
We have to save the file attachments into a SQL database as binary. In one of our legacy ASP projects the SQL 2000 data type is "image".  In this ASP.net project I thought we'd continue with the image type because we can't modify the DB due to backwards compatility issues. Although, some of the customers are running SQL 2005 - nothing like a monkey wrench thrown into the pile. So with all that said, I set out to redesign this ASP project into ASP.net and what a ride it has been. One of many hrdules I came to face is the file upload. Here is the code I've piec...

Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'System.Web.Security.FormsIdentity'.
Hi Has anyone ever came across this problem before, the code was working ok this morning, but now it not and nothing has changed. Here is some test code string UserData = Ret.ToString();                        FormsAuthenticationTicket objTestForCookiesTicket;                        HttpCookie objTestForCookiesCookie;                        objTestForCookiesTicket = new FormsAuthenticationTicket(1,    ...

Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'System.Web.Security.FormsIdentity'
I am getting the following error when i request the page in iis. it was working fine. if anybody give any solution for this is greatly appreciated   Server Error in '/' Application. Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'System.Web.Security.FormsIdentity'. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.InvalidCastException: Unable to cast object of type '...

Unable to cast object of type 'WIM2008_Web.App_Code.wim.security.data.User' to type 'WIM2008_Web.App_Code.wim.security.data.User'
I don't know if i post this in the rigth forum but it is related to database call. this is my code: public DataSet CustomerDetails_Select(Int32 ID)    {      DataSet ds = new DataSet();      WIMConnect wimcon = new WIMConnect();      WIMConnection cnnwim = new WIMConnection();      ConvertDataReaderToDataTable DrToDs = new ConvertDataReaderToDataTable();      GridViewHeadersDao gvh = new GridViewHeadersDao();       &nb...

Urgent: AutoCompleteExtender doesn't work/Updatepanel doesn't work
This is my code for the AutoCompleteExtender <asp:textbox id="txtQuickSearch" runat="server" CssClass="inputText" style="width:145px; "></asp:textbox> <atlas:AutoCompleteExtender runat="server" ID="acSearch"> <atlas:AutoCompleteProperties TargetControlID="txtQuickSearch" Enabled="True" ServicePath="http://localhost/Sony.BusinessSuite.Web.UI/AtlasServices/MasterData.asmx" ServiceMethod="GetAllModels" minimumprefixlength="2" /> </atlas:AutoCompleteExtender> When i start typing fiddler shows: # Result Host URL Body Caching Content-Type User-...

Spellchecker doesn't work: no error, just doesn't work
Hey all. This is only happening with one person. It's all GW7 no SP. has worked fine before. Anyway when they type along it doesn't catch that spelling and it doesn't fire up spell check before it's sent like it is checked off to do. It does nothing. It just sends it when you click send; no error, nothing. I did a rebuild, analyze/fix. I have it set at all levels for this user. any ideas Mark, well, I'd try a more recent client version first. GW7 was less than stellar before SP1. Uwe -- Novell Support Connection Volunteer SysOp Please don...

Can't get the Web Controls to work.. The Build.Bat file doesn't work? HELP>> ARGGG>.
Hi.. I was wanting to use the IE Web Controls, the Tab Strip, etc, and play with it.. Since I have IIS 5, I thought I'd copy them there using the Read me.txt instructions and then copy to a dev server that I use at a web host.. Well, everything worked except the Build file doesn't build the Microsoft.UI.Webcontrols.DLL file? When I try to run it by double clicking on it, it runs really fast in  the DOS window, but I can't see what it says and it closes.. So I tried to do so manually and I received an error that the "cse.exe is not recognized as an internal or external command or batch...

displays certain files of any type(gif,doc,excel Types,PDF's etc) and then allows the user to click
Hi, I'm fairly new to ASP.NET 2.0 and I'm sure there is a simple solution to my problem. I have  an application that displays certain files of any type(gif,doc,excel Types,PDF's etc) and then allows the user to click the name of the file in order to view it in the web browser.I originally had the file name listed in a GridView (or listview if anybody give solution i will change this controls).  I tried creating a hyperlink column which display all the file names to allows the user to click it and to display the file,.i can open a Doc file types. But how i can open ...

secure LDAP doesn't work
NetWare 6.5 sp3 edir 87.35 When I try to hit https://servername:636 I get connection refused tried recreating LDAP server and Group object, no luck tried running pkidiag, reinstalling LDAP, no luck NORM works fine and I can rcon over secure IP to server If I start DStrace and log LDAP then reload NLDAP server abends This makes diagnosing the problem hard. Any ideas? Thanks, Waylon Grange Network Administrator Snow, Christensen & Martineau 10 Exchange Place, Eleventh Floor Salt Lake City, UT 84101 (801) 322-9237 wtg@scmlaw.com Well you are not doing ldap,,,,yo...

file type doesn't work
I try to get an EndNote citation from the web into my EndNote bibliography database. EndNote explains well how to achieve this http://online.sagepub.com/cgi/citmgr?gca=spann;566/1/37 but this is theory here. I looked into the Tools > Options > File Types > Download Actions. A enw file (enw is the EndNote import format) is marked Open with EndNote build ... (which is my current build). When I click on the Sage journal citation download link I see that a file gets saved (Saving item ..) but this is not what should happen. I expected that EndNote opens and imports. So,...

Why doesn't my security trimming work?
I have a login control displayed on my page but when I log in the tree view only shows forgot-password. I should show all. I know there must be something wrong with my code. Basically when a Administrator logs in I want him/her to see everything but if it is not a Admin then see everything but the Admin Users section. Here it is.   <siteMap> <siteMapNode title="Home" description="Home" url="login.aspx"> <siteMapNode title="Salon"> <siteMapNode title="Add New Salon" url="manager\Salon.aspx" ...

Web resources about - Securing other file types (image, pdf, doc, xls, etc.) -- mapping to aspnet_isapi doesn't work - asp.net.security

ASP.NET - Technical Fixes
UrlRewriter.NET is an open-source, light-weight, highly configurable URL rewriting component for ASP.NET. UrlRewriter.NET provides similar IIS ...

Application Pools <applicationPools> : The Official Microsoft IIS Site
The element contains configuration settings for all application pools running on your Internet Information Services (IIS) 7 server. An application ...

Resources last updated: 12/1/2015 4:52:24 AM