+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Securing individual files

Securing individual files

12 posts, 0 answered
  1. Nick Haworth
    Nick Haworth avatar
    20 posts
    Registered:
    18 Jan 2010
    21 Jun 2010
    Link to this post
    Hi,

    We are currently migrating our existing website into Sitefinity, but have ran into (another!) problem with security.  I'd like to secure individual files within our website (such as documents that are only available to authenticated users).  This level of security was previously done in the <location> node of the web.config, allowing us to deny anonymous users and restrict access by user and/or role.

    How can this be done in Sitefinity?  I created an Images and Documents library and applied "View" privileges to certain roles, but ALL roles could still download files within the library...even anonymous users!

    Is there a work around for this?  Could I still use the <location> node solution?

    Thanks.


    Nick
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    21 Jun 2010
    Link to this post
    Hello Nick Haworth,

    You can create a custom handler that inherits from ContentHttpHandler and restrict the access to a given library or item in your library

    Override the ContentHttpHandler. Then, check whether the user from a specified role has permissions to see the files in our library. Finally  change your web.config and replace the default  ContentHttpHandler  with the custom one you have created.

    using System;
    using System.Web;
    using System.Web.Security;
    using Telerik.Cms.Engine;
       
    public class CustomCmsContentHandler : ContentHttpHandler
    {
           
        public override void ProcessRequest(HttpContext context)
        {
       
            string path = String.Concat(context.Request.ApplicationPath, "/libraries/SecuredLibrary/");
       
            if (context.Request.RawUrl.StartsWith(path, StringComparison.OrdinalIgnoreCase))
            {

                RolePrincipal principal = context.User as RolePrincipal;
                if (principal == null
                    || !principal.Identity.IsAuthenticated
                    || !principal.IsInRole("Administrators"))
                {
                    throw new HttpException(403, "Access forbidden");
                    return;
                }
            }
       
            base.ProcessRequest(context);
        }
    }

    When the item is located  on the file system you should use ASP.NET HttpModule, because the request will not  be processed through ContentHttpModule class. You have to subscribe for  BeginRequest and prevent the access to a given path.

    Sincerely yours,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Nick Haworth
    Nick Haworth avatar
    20 posts
    Registered:
    18 Jan 2010
    21 Jun 2010
    Link to this post
    Hi Ivan,

    I had previously seen this method suggested on another forum post, but I think it's a long solution to such a little problem.  Is there no way we can simply secure the directory through a single setting in the web.config (like http://support.microsoft.com/kb/316871) ?

    This is a useful feature to have - why remove it in Sitefinity?
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    21 Jun 2010
    Link to this post
    Hi Nick Haworth,

    Control Authorization Permissions will work only for physical and static files. In Sitefinity we work with dynamic data which is not stored on the file system. The items uploaded to Images and Documents module goes to the database. If you use Files provider instead of Nolics the items goes to App_Data folder where you could not set restrictions and there are only the items ID and content data as a buffer.

    Regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  5. Nick Haworth
    Nick Haworth avatar
    20 posts
    Registered:
    18 Jan 2010
    22 Jun 2010
    Link to this post
    Hi Ivan,

    I have created a http handler, as suggested but it doesn't seem to be used.  My web.config reference looks like this:

          <add name="CustomCMSHandler" path="*.pdf" type="CustomCmsContentHandler" verb="*"/>

    Now, if I browse to any pdf document within the site, I get an internal server error (Error 500).  I have even removed all the code from the handler's ProcessRequest method, but still get an error 500.

    What am I missing?

    Also, if I host these secure files on the file system, can I not just use the <location> tag in web.config and remove the http handler?

    Thanks.
  6. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    22 Jun 2010
    Link to this post
    Hi Nick Haworth,

    Error 500 means bad request and it occurs when there is a problem with the web server. The registration place of  the handler depends on the IIS version you use How to: Register HTTP Handlers

    Also, if I host these secure files on the file system, can I not just use the <location> tag in web.config and remove the http handler?

    Quoted from the previous reply "Control Authorization Permissions will work only for physical and static files."

    Best wishes,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  7. Nick Haworth
    Nick Haworth avatar
    20 posts
    Registered:
    18 Jan 2010
    22 Jun 2010
    Link to this post
    Hi again!

    I have followed your advice and created a custom handler that handles *.sflb.ashx and then checks the authentication and raises an http 403 response error if the requirements are not met.

    HOWEVER, there seems to be a problem with caching.  If I log in as a user in role_full, the handler correctly allows me to download the file, but if I log out and back in as a user in role_basic (which shouldn't be allowed to access the file), I can still download the file.  This appears to be some sort of a caching issue, because if I recycle my IIS application pool and retry with the role_basic user, it denies me again!

    public override void ProcessRequest(HttpContext context)
    {
        if (context.Request.Path.ToLower().Contains("/secure/"))
        {
            RolePrincipal principal = context.User as RolePrincipal;
            if (principal == null || !principal.Identity.IsAuthenticated)
            {
                throw new HttpException(403, "Access forbidden");
            }
            if (!principal.IsInRole("role_basic"))
            {
                throw new HttpException(403, "Access forbidden - please contact us for access.");
            }
        }
        base.ProcessRequest(context);
    }


    Am I missing something?

    Thanks for your perseverance.
  8. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    23 Jun 2010
    Link to this post
    Hello Nick Haworth,

    Most probably this is the browser cache. Make sure that the library caching is disabled. You could take a look at the attached image.

    Best wishes,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  9. Nick Haworth
    Nick Haworth avatar
    20 posts
    Registered:
    18 Jan 2010
    23 Jun 2010
    Link to this post
    Hi Ivan,

    I have cleared my browser cache and ensured that caching is turned off on the library, but this is still a problem.

    When I put a break point in the handler code and attach to w3wp.exe, it will only hit the breakpoint ONCE.  It's like it's caching the whole handler!

    Confused...!
  10. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    23 Jun 2010
    Link to this post
    Hello Nick Haworth,

    I am not able to reproduce this issue locally when the cache is disabled. The issue appears for me only if the caching is turned on.  You could set cachingProviderName="*NO*CACHE*" for the Libraries provider in declared in the web.config under cmsEngine node. This should disable the server cache as well.

    Kind regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  11. Nick Haworth
    Nick Haworth avatar
    20 posts
    Registered:
    18 Jan 2010
    23 Jun 2010
    Link to this post
    Hi Ivan,

    My <cmsEngine><providers> node now contains this:

    <add name="Libraries" urlRewriteFormat="~/{Provider}/{LibraryName}/[Name].sflb.ashx" urlDateTimeFormat="yy-MM-dd" urlWhitespaceChar="_" visible="False" defaultMetaField="Name" applicationName="/Libraries" allowVersioning="False" allowLocalization="False" localizationProviderName="" allowWorkflow="False" securityProviderName="" versioningProviderName="" connectionStringName="GenericContentConnection" type="Telerik.Libraries.Data.DefaultProvider, Telerik.Libraries.Data" tagEditorTemplate="~/Sitefinity/Admin/ControlTemplates/Libraries/BatchTagsEditor.ascx" cachingProviderName="*NO*CACHE*" />

    Is this correct?  It has made no difference.  Could I use the securityProviderName to add role-based security on documents within a library (so that I can bypass the handler completely)?
  12. Nick Haworth
    Nick Haworth avatar
    20 posts
    Registered:
    18 Jan 2010
    24 Jun 2010
    Link to this post
    SOLVED!

    I implemented IHttpHandler and set the IsReusable property to false.

    Thanks for your time.
Register for webinar
12 posts, 0 answered