Restricting access through absolute path (css and js) - use Http Handlers

Question

0.00/5 (No votes)

See more:

I want to restrict users to access files using URL absolute path (authenticated and not).

Users wont be able to access a CSS or Js file (for example entering http://codeproject.com/css_folder/something.js).

Obviously I cant deny access on web.config because if I do that the JS are not executed (for authenticated users).

So I'm thinking on an approach through some code. Something like this:

C#

string path = Request.Url.AbsoluteUri;
        string strExt = System.IO.Path.GetExtension(path); // to get extension
        Response.Write("here: " + path);
        Response.Write(" test: " + strExt);
        if (!System.IO.Path.IsPathRooted(path)) //should get if entered absolute path
        {
            if ((strExt == ".css") || (strExt == ".js"))
            {
                Response.Redirect("notas.aspx");

But that's not working. And is natural, because when we enter absolute path there's no more server side code processed on that page.

From what I searched the solution is using a HttpHandler to build CSS and JS, and then change authorization on those handlers.

I did on web.config

XML

<httpHandlers>
         <add verb="*" path="css/*.css" type="handler.MyHttpHandler, handler" />
      <add verb="*" path="Script/*.js" type="handler.MyHttpHandler, handler" />
</httpHandlers>

and created a class Myhhtphandler

<pre lang="cs">

public class MyHttpHandler : IHttpHandler, IReadOnlySessionState
{
    public void ProcessRequest(HttpContext context)
    {
       
            context.Response.Redirect("/login.aspx?retUrl=" + context.Request.RawUrl);
           
      
    }
    public bool IsReusable
    {
        get { return false; }
    }
}

I have two problems: I dont know if this correct, and I get an error "could not load file or assembly 'handler' or one of its dependencies. The system cannot find the file specified."

Sorry if the solution is too obvious, but I honestly dont know.

EDIT: I created a web.config dedicated on css folder a placed html handlers, this way I dont get errors but I still can access the css file through URL absolute path.

EDIT2:

Now using as simple as that: MyHttpHandler.cs:

C#

using System.Web;
using System.Web.Security;
using System.Web.UI;
namespace test
{
   public class MyHttpHandler : IHttpHandler
   {
      public void ProcessRequest(HttpContext context)
      {
         context.Response.Redirect(
            "~/Downloads/Files/AccessDenied.aspx");
      }
      public bool IsReusable
      {
         get
         {
            return true;
         }
      }
   }
}

css/web.config:

XML

<?xml version="1.0"?>
<configuration>
  <system.web>

        <httpHandlers>
          <add verb="*" path="*.css"
          type="test.MyHttpHandler"/>
        </httpHandlers>

  </system.web>
</configuration>

Still dont work.

Posted 27-Dec-10 15:45pm

Maxdd 7

Updated 27-Dec-10 16:18pm

v4

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Venkatesh Mookkan · Accepted Answer · 2010-12-27T15:58:00

Solution 1

Change the Web.Config to,

XML

<add verb="*" path="css/*.css" type="handler.MyHttpHandler" />

I believe "handler" is your namespace.

IHttpModule is perfect for your scenario because Module is the one which gets execute first before all the request.

Refer here[^]

Posted 27-Dec-10 15:58pm

Venkatesh Mookkan

Updated 27-Dec-10 16:07pm

v2

Comments

Maxdd 7 27-Dec-10 22:02pm

Without the "namespace" dont work as well.

How should I use IHttpModule ?

Venkatesh Mookkan 27-Dec-10 22:07pm

Yes. It will not work without namespace. But the type="handler.MyHttpHandler, handler" the "handler" after comma is assembly name. I hope you know what is assembly name.

IHttpModule is as similar as IHttpHandler which with different function implementation. You have register Modules to your website using web.config like Handlers.

I have added the reference link in the answer section

Maxdd 7 27-Dec-10 22:09pm

Here it is:
<add verb="supported http verbs" path="path" type="namespace.classname, assemblyname" />

I'll take a look at ihttpmodule.

Maxdd 7 27-Dec-10 22:19pm

Meanwhile what do you think of my new implementation? (I edited my question). I really believe that shoulded work.

Venkatesh Mookkan 27-Dec-10 22:38pm

"Still don't work" - means? Are you still having problem in configuring the Handler?

Maxdd 7 27-Dec-10 22:46pm

Means that the handler simply dont work.

I thing the problem is related due to the fact I have to config the IIS. But the server I use does not allow that direct config.

I hope I'm wrong.

Venkatesh Mookkan 27-Dec-10 22:51pm

Web.Config:
<add verb="*" path="*.css" type="TestHandler.MyHttpHandler"/>

MyHttpHandler.cs:

namespace TestHandler
{
public class MyHttpHandler : IHttpHandler
{
#region IHttpHandler Members

public bool IsReusable
{
get { return true; }
}

public void ProcessRequest(HttpContext context)
{

}

#endregion
}
}

The above works perfectly for me.

Maxdd 7 27-Dec-10 22:59pm

Well I dont understand.

Do you have your MyHttpHandler.cs: on /webroot? that web.config is on CSS folder ?

I just copied, pasted, and when I enter http://webroot/css/style.css

I saw all my css code

Venkatesh Mookkan 27-Dec-10 23:00pm

Place a breakpoint at the starting of ProcessRequest function and check if, you are able to go into the Handler?

Maxdd 7 27-Dec-10 23:04pm

No, ProcessRequest(HttpContext context) is not being executed.

Venkatesh Mookkan 27-Dec-10 23:07pm

Actually I using FileSystem Website. I switched to IIS mode, the css gets displayed. I understand the problem now. The problem is IHttpHandler. Write your restriction logic in IHttpModule and add it your website. You will be all set.

Dalek Dave 27-Dec-10 23:12pm

Good Answer

Kasson 27-Dec-10 23:15pm

Good call Venkatesh

Maxdd 7 27-Dec-10 23:17pm

Forgot to say (really tired), thanks for your conclusion.

Venkatesh Mookkan 27-Dec-10 23:33pm

I have build a website using IHttpModule which is a security guard (Authentication and validation) for my application. It is hosted in IIS 5.1, IIS 6.0, IIS 7.5 (Window 7 Pro & Server). You have to nothing to configure on the IIS and nothing to do with OS also. Just web.config setting is enough. You can search CP for better example on IHttpModule

Maxdd 7 28-Dec-10 0:16am

Thank you very much Mookkan.

First of all, I hope my deleted posts are really being deleted, because I'm posting many posts (i cant edit them so I delete them with the updates).

I solved part of the problem. I was using too many http modules. I realized I just need one - primary web.config. Altough now when I go through absolute path file is "not found" (what I want), my CSS and JS are not being loaded on the page.

I tried to solve the problem through web.config on css and script folders:

<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>

but dont work. Any ideas ?

Looks like ihttp module is blocking all .css and .js files, not the only ones on absolute path..

Venkatesh Mookkan 28-Dec-10 0:22am

<authorization>
<deny users="*">
</authorization>

Should work

Maxdd 7 28-Dec-10 10:12am

Unfortunately no, because the problem with at the handler.

I'm trying this way:

string filePath = context.Request.FilePath;
string absolute = context.Request.Url.AbsoluteUri;

context.Response.Write("path: " + filePath + " abs: " + absolute);

try
{

string fileExtension =
VirtualPathUtility.GetExtension(filePath);
if (fileExtension.Equals(".css") && (filePath == absolute))
context.Response.Redirect("nothing.aspx");
}

I get the CSS (the same) and the output:
path: /StickyNotes3.5/css/style.css abs: http://localhost:xx/StickyNotes3.5/css/style.css

So I'm really near.

Venkatesh Mookkan 28-Dec-10 10:19am

Maxdd7, You should listen. You have to use IHttpModule.

Maxdd 7 28-Dec-10 10:34am

Well, that's what am I using now.

In your answer, you referred me this link
http://msdn.microsoft.com/en-us/library/ms227673.aspx

And that's what I'm using.

Right ?