restricting non-ASP.NET content

**Plater** · Sep 6 '07, 09:15 PM

Are these pages to be protected by the same login credentials as the aspnet pages?
Because you could restrict access to the directories they're in with the http security.
(challenge authentication)

Or convert them over to full-fledged aspx pages. Really you should have been able to just drop the html source code into the aspx page.

**KBTibbs** · Sep 6 '07, 09:29 PM

Originally posted by Plater

Are these pages to be protected by the same login credentials as the aspnet pages?
Because you could restrict access to the directories they're in with the http security.
(challenge authentication)

Or convert them over to full-fledged aspx pages. Really you should have been able to just drop the html source code into the aspx page.

I'm handling the specifics of which files go to which users... All I need is a simple redirect to the login page if they aren't authenticated.

The idea is that these are generated reports, and people get access to their own reports. Users access the reports page, the page queries the database, scoops up all the files in the folders specified by the database, and displays them in a datagrid with hyperlinks.

The benefits to this are that:
1) existing reports work (to preserve report histories without modifying those files by hand)
2) the existing reporting process is automated and can generate and upload a new report to the ftp site. This setup preserves this functionality so it doesn't need to be modified.

I've already got a good bit of other site content restricted by various roles granted by the forms authentication, the last bit to restrict is this non-ASP.NET content...

**Plater** · Sep 6 '07, 09:35 PM

hmmm. well have you tried making a "serve-up" aspx page?

Like all those hyperlinks goto:
"myserveup.aspx ?filename=repor t456.html"

And then your serveup.aspx page goes and grabs that file and returns the content.
Then you can just make sure they're authenticated for that aspx page.

I use this method in my own company. The actual location where the data files are is not available through the website, only through the serveup page can they be accessed.

**KBTibbs** · Sep 6 '07, 09:45 PM

Originally posted by Plater

hmmm. well have you tried making a "serve-up" aspx page?

Like all those hyperlinks goto:
"myserveup.aspx ?filename=repor t456.html"

And then your serveup.aspx page goes and grabs that file and returns the content.
Then you can just make sure they're authenticated for that aspx page.

I use this method in my own company. The actual location where the data files are is not available through the website, only through the serveup page can they be accessed.

Hmmm, that's an intriguing idea. I'm not readily able to imagine some of the specifics (I'm a desktop programmer by trade that got somewhat pressed into this web development project just recently. I'll admit to being a bit out of my native element)... A couple of questions come to mind:

Would I need to strip out any of the html from the files, or would the ASPX page simply not care about duplicate <HEAD> tags, <BODY> tags, etc?

How can I set the folder to be inaccessible to the outside? Move it to be within the app_data folder? Could I still set that folder to be an FTP site to receive the auto-generated reports?

**Plater** · Sep 7 '07, 12:46 PM

The aspx page...wouldn't really be an aspx page.
Inside it would do all the validating of "should this user be able to access this file?"
Then if yes it'd be something like:

Code:

Response.Clear();//wipe out anything that would be sent to client
/*
* Some code to send the file, I think it's like Response.TransmitFile(filename)
*/
Response.End();

If it was no, display some sort of "not allowed" message

**KBTibbs** · Sep 7 '07, 05:30 PM

Originally posted by Plater

The aspx page...wouldn't really be an aspx page.
Inside it would do all the validating of "should this user be able to access this file?"
Then if yes it'd be something like:

Code:

Response.Clear();//wipe out anything that would be sent to client
/*
* Some code to send the file, I think it's like Response.TransmitFile(filename)
*/
Response.End();

If it was no, display some sort of "not allowed" message

This sounds like a good solution, however I would still like a way to deny access to anyone who might be able to guess the URL of the source HTML files... Maybe I could store the files within app_data?

**Plater** · Sep 7 '07, 06:44 PM

Don't expose there location to the web.
Like for instance in my setup, the iis website is located at:
c:\inetpub\wwwr oot\
And the datafiles are in say:
c:\data\

The code behind can access that directory, but the website does not have access to it.

**kunal pawar** · Oct 23 '07, 01:50 PM

Hi,
U can restrict by setting the web.config.

<location path="admin.htm l">
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
<authenticati on mode="Forms">
<forms name="frmLogin"
loginUrl="login .aspx">
</forms>
</authentication>
<authorizatio n>
<deny users ="?" />
</authorization>
</system.web>

</location>

try this one

**Plater** · Oct 23 '07, 02:01 PM

Oooo, good call on that one. I think you can take wildcards in the path= attribute too?

**dotneto** · Oct 23 '07, 10:07 PM

Yes, using location for the files is the cleanest way to do that.

What you could also do is deny acces to unauthenticated users and grant acces to the specific role where your html files are. In you web.config:

Code:

<authentication mode="Forms">
<forms loginUrl="/yoursite/default.aspx" name="name" timeout="20" protection="All" path="/">
</forms>
</authentication>
<authorization>
		<deny users="?"/>
</authorization>
<location path="the folder where your html files are">
		<system.web>
			<authorization>
				<allow roles="Roles that can access the path"/>
			</authorization>
		</system.web>
	</location>

restricting non-ASP.NET content

restricting non-ASP.NET content

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment