1-888-365-2779
+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Secure Library Access

Secure Library Access

9 posts, 0 answered
  1. Jason
    Jason avatar
    16 posts
    Registered:
    27 Aug 2008
    04 Feb 2009
    Link to this post
    I'm in the process of developing a site that will not be accessible to anyone unless they log in.  The site will feature multiple download lists and I'm wondering how I would go about preventing unauthorized access.  It seems as though if I log in and copy the link to a document then access it from a machine that has not logged in the document will be downloaded which I need to prevent from happening.

    Thanks,
    Jason
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    16 Jun 2017
    05 Feb 2009
    Link to this post
    Hi Jason,

    Most probably, you need to create a custom handler that will give access to certain library only for a given role. Thus, users that does not belong to this role/roles will not be able to download and access library items.

    Here is an sample:

    using System;  
    using System.Web;  
    using System.Web.Security;  
    using Telerik.Cms.Engine;  
      
    //Override ContentHttpHandler  
    public class CustomContentHandler : ContentHttpHandler  
    {  
          
        public override void ProcessRequest(HttpContext context)  
        {  
      
            //restrict access to mylib  
            string path = String.Concat(context.Request.ApplicationPath, "/libraries/my_lib_here/");  
      
            if (context.Request.RawUrl.StartsWith(path, StringComparison.OrdinalIgnoreCase))  
            {  
                //check whether the user is authenticated or not.  
                RolePrincipal principal = context.User as RolePrincipal;  
                if (principal == null  
                    || !principal.Identity.IsAuthenticated  
                    || !principal.IsInRole("Administrators"))  
                {  
                    throw new HttpException(403, "Access forbidden");  
                    return;  
                }  
            }  
      
            base.ProcessRequest(context);  
        }  
    }  

    I hope this helps.

    All the best,
    Ivan Dimitrov
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  3. Eric
    Eric avatar
    5 posts
    Registered:
    25 Aug 2008
    22 Jul 2009
    Link to this post
    Ivan,

    I implemented what you suggested and it worked perfectly on my local development environment (XP/IIS6). But, when I moved up my code to staging (IIS7), it completely ignores the custom httpHandler.  I researched and tried following what was suggested in the post http://www.sitefinity.com/support/forums/sitefinity-3-x/bugs-issues/error-4-4-with-rss-in-iis7.aspx and modified the two Handler Mappings to point to my custom handler to no avail.  Any help would be appreciated

    Thanks,
    Eric
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    16 Jun 2017
    22 Jul 2009
    Link to this post
    Hello Eric,

    Have you replaced the default ContentHttpHandler with the custom one? IIS 7 uses integrated pipline mode and it is looking under < <system.webServer>< handlers>

    All the best,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  5. Eric
    Eric avatar
    5 posts
    Registered:
    25 Aug 2008
    22 Jul 2009
    Link to this post
    Ivan,

    yes, I made the following changes to parts of my web config:

    <system.web> 
      <httpHandlers> 
        <add verb="GET" path="*.sflb" type="SecureContentHttpHandler, App_Code" /> 
        <add verb="GET" path="*.sflb.ashx" type="SecureContentHttpHandler, App_Code" /> 
        ... 
      </httpHandlers> 
      ... 
    </system.web> 
    ... 
    <system.webServer> 
      <handlers> 
        ... 
        <add name="SitefinityLibrary" path="*.sflb" verb="*" type="SecureContentHttpHandler" preCondition="integratedMode" resourceType="Unspecified" requireAccess="Script" /> 
        <add name="SitefinityLibraryAdd" path="*.sflb.ashx" verb="*" type="SecureContentHttpHandler" preCondition="integratedMode" resourceType="Unspecified" requireAccess="Script" /> 
        ... 
      </handlers> 
    </system.webServer> 

  6. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    16 Jun 2017
    23 Jul 2009
    Link to this post
    Hi Eric,

    As I see it you should have specified the App_Code in the type.

    your lines:

     <add name="SitefinityLibrary" path="*.sflb" verb="*" type="SecureContentHttpHandler" preCondition="integratedMode" resourceType="Unspecified" requireAccess="Script" /> 
    <add name="SitefinityLibraryAdd" path="*.sflb.ashx" verb="*" type="SecureContentHttpHandler" preCondition="integratedMode" resourceType="Unspecified" requireAccess="Script" /> 

    correct lines

    <add name="SitefinityLibrary" path="*.sflb" verb="*" preCondition="integratedMode" type="CustomContentHttpHandler, App_Code"/> 
    <add name="SitefinityLibraryAdd" path="*.sflb.ashx" verb="*" preCondition="integratedMode" type="CustomContentHttpHandler, App_Code"/> 

    or you have compiled the code into assemble?

    Greetings,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  7. Eric
    Eric avatar
    5 posts
    Registered:
    25 Aug 2008
    23 Jul 2009
    Link to this post
    Ivan,

    You are correct, I have the code in the App_Code folder.  I had actually tried that after what I selected through the Handler Mappings in IIS7 did not work.  I removed it since it did not help.  Do you have any other ideas?  I appreciate your help.

    Thanks,
    Eric
  8. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    16 Jun 2017
    23 Jul 2009
    Link to this post
    Hi Eric,

    You can add a new simple handler to see whether it will be fired. You can also attach a debugger to the current Handler and see whether it will be fired. There seems to be something in your production server settings since the handler works on your dev server.

    Sincerely yours,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  9. Eric
    Eric avatar
    5 posts
    Registered:
    25 Aug 2008
    23 Jul 2009
    Link to this post
    Ivan,

    I finally figured it out!  It was a combination of needing the App_Code in the system.webServer handlers and an issue with your original code.

    string path = String.Concat(context.Request.ApplicationPath, "/libraries/my_lib_here/");   

    On my local dev environment, context.Request.ApplicationPath returns "/deploy". In a production mode running it's own domain, context.Request.ApplicationPath returns "/".  So the end result of the path variable is "//libraries/my_lib_here/" which will never occur.  So a simple fix to work in both environments is:

    string path = String.Concat(context.Request.ApplicationPath, "/libraries/documents/").Replace("//","/"); 

    Thanks for all your help, I'm glad I was able to get it to work

    Eric
Register for webinar
9 posts, 0 answered