iis 7 - Protecting Executable Download in ASP.NET -


I have executable, I want to restrict it which is capable of downloading. I have a UI trimming so the link is not present when the user is not authorized to perform executable. And I have set a rule in web.config to protect resources from unauthorized downloads, but it does not work. 

  & lt; Location path = "utilities / some tool.ax" & gt; & Lt; System.web & gt; & Lt; Authority & gt; & Lt; Allow roles = "some roll" /> & Lt; Deny users = "*" /> & Lt; / Authorization & gt; & Lt; /system.web> & Lt; / Location & gt;   
 When I try to download the resource, I use the login page, which expects that the user is not related to that role in downloading the resource should be able. / P> 
 I can change the rule in web.config, so it allows a specific user, and I am able to reach the executable with that specific user, but that will not work, because I Need to modify the access rules for each user added to the role.  
  & lt; Location Path = "Utilities / Some Tool.exe" & gt; & Lt; System.web & gt; & Lt; Authority & gt; & Lt; Allow users = "MyUserName" /> & Lt; Deny users = "*" /> & Lt; / Authorization & gt; & Lt; /system.web> & Lt; / Location & gt;   
 I have already set up web.config to take advantage of the integrated pipeline in IIS7, on which to remove and add a list of guided modules. This should treat all resources to my website as they are ASP.NET resources.  
 Do anyone know what I can remember in the configuration of IIS 7 to protect executables?  
 I have thought about other solutions that I can implement rather than protecting the executable from any unauthorized downloads, such as to create a web service that is included in that link and processing back Then in the web service, I could demonstrate the validity of the user's role before returning to the executable. But it seems that this is more work than my work.  
 The system.web section of my web.config is here:  
  & lt; System web & gt; & Lt; Compilation debug = "false" targetFramework = "4.0" /> & Lt; Enable httpRuntime VersionHeader = "false" request ValidityMode = "2.0" /> & Lt; CustomArror mode = "RemoteOnly" & gt; & Lt; Error status code = "404" redirect = "~ / MyErrorPage.aspx" /> & Lt; / CustomErrors & gt; & Lt; Authentication mode = "form" & gt; & Lt; Forms Expired = "60" Ticketability = "Framework 40" /> & Lt; / Authentication & gt; & Lt; Authority & gt; & Lt; Deny users = "?" / & Gt; & Lt; / Authorization & gt; & Lt; Session timeout = "60" /> & Lt; Subscription default provider = "MyMembershipProvider" & gt; & Lt; Providers & gt; & Lt; Clear /> & Lt; Add name = "MyMembershipProvider" type = "MyMembershipProvider" applicationName = "MyApp" /> & Lt; / Providers & gt; & Lt; / Subscription & gt; & Lt; RoleManager defaultProvider = "MyRoleProvider" enabled = "true" cache ROLESInCookie = "true" cookieTimeout = "60" & gt; & Lt; Providers & gt; & Lt; Clear /> & Lt; Add name = "MyRoleProvider" type = "MyRoleProvider" applicationName = "MyApp" /> & Lt; / Providers & gt; & Lt; / RoleManager & gt; & Lt; /system.web>   
 As a side note, web. ConfiG works with my web site, when it is hosted in Visual Studio 2010, but fails while running in IIS7.  
 Update: Based on the roles I have tried to protect the various resources of * .html and * .aspx pages and I am seeing the same problem, though the user is still redirecting to the login page Related to the appropriate role.  
 Thanks in advance.  
  
 
 
 You already mentioned the IIS7 integrated mode ASP.net handler used for all file types  
 You can read more about this here: and here:  
 away from the top of my head, I try at least everybody- Apply all your personal files in the directory, and location protection in the directory instead of the actual security file. This can fix your problem.  
 Personally, I will save the directory path instead of a file, because it is a future evidence against changes in file name.

Comments

Post a Comment

Popular posts from this blog

Python SQLAlchemy:AttributeError: Neither 'Column' object nor 'Comparator' object has an attribute 'schema' -

I tried to create a new database in my project, but when I run the script, I get this error, I have another project, this type of definition worked before, but now it gets a single error. I am using Python 2.7.8 and the version of SQLAlchemy module is 0.9.8. By the way, using a project flask- SQLAlchemy, it works well, I'm confused. Traceback information is as follows: Traceback (most recent call final): File "D: / Projects / IOM / db_create.py", line 4, & lt; Module & gt; From the models the base file "D: \ Projects \ OO-IM \ models.py", in line 15, in the & lt; Module & gt; Column ( 'followed_id', int (), ForeignKey ( 'user.id')) file "C: \ Python27 \ lib \ site-packages \ SQLAlchemy \ SQL \ schema.py", line 369, __new__ schema = metadata. Schema file "C: \ Python27 \ lib \ site-packages \ SQLAlchemy \ SQL \ elements.py", line 662, AttributeError in __getattr__ key): Neither 'column' object nor ...
Read more

java - How not to audit a join table and related entities using Hibernate Envers? -

I use Eners to be hibernate to audit my institutions. I have an audit entity, Foo , which includes a list & lt; Bars & gt; However, I do not want to audit the bar institutions, in the form of properties, I have written that: @inti @edicated public class Foo {@JoinTable (name = "T_FOO_BAR", joinColumns = @JoinColumn (name = "FOO_ID"), inverseJoinColumns = @JoinColumn (Name = "BAR_ID")) @ManyToMany (Cascade = Persist) @ Indited (targetAuditMode = RelationTargetAuditMode.NOT_AUDITED ) Public listing & lt; Bars & gt; GetBars () {Return bars; }} Now, I want to retrieve an amendment of foo : AuditReader reader = AuditReaderFactory.get (GetEntityManager ()); FU modification = (FU) reader.CreativeTeA () .entensEtrevision (Foo Class, 42) .getSingleResult (); Unfortunately, when I want to retrieve all the data (i.e. when it loads lazy times ), error me ORA-00942: table or view is not present , because Tried to query this: Sel...
Read more

mongodb - CakePHP paginator ignoring order, but only for certain values -

While pagging my user model in kppp, I can sort with some values, but not others. For example, I can order results from created or email , for example, but username or reputation seems to come back order by arbitrary command for example with a list of users: $ this-> paginate = array ('condition' => array ( 'User.is_active' = & gt; true), 'border' => 24, 'order' => array ('User.created' => DESC)); Works as expected, but $ this - & gt; Paged = array ('conditions' = & gt; array (' user.isIactive '= & gt; true),' border '= & gt; 24,' command '= & gt; array (' user repeats' = ' & Gt; DESC ')); No, no. I first thought that this could be a database issue, but when I search the database directly, sorted as expected. Note: I am using Mangodebi with the Mongo DB plugin of Ichikawa for the KPPHP; Pagnetizing users are used to work properl...
Read more