Click here to Skip to main content
14,880,672 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I want to restrict users to access files using URL absolute path (authenticated and not).

Users wont be able to access a CSS or Js file (for example entering http://codeproject.com/css_folder/something.js).

Obviously I cant deny access on web.config because if I do that the JS are not executed (for authenticated users).

So I'm thinking on an approach through some code. Something like this:

C#
string path = Request.Url.AbsoluteUri;
        string strExt = System.IO.Path.GetExtension(path); // to get extension
        Response.Write("here: " + path);
        Response.Write(" test: " + strExt);
        if (!System.IO.Path.IsPathRooted(path)) //should get if entered absolute path
        {
            if ((strExt == ".css") || (strExt == ".js"))
            {
                Response.Redirect("notas.aspx");



But that's not working. And is natural, because when we enter absolute path there's no more server side code processed on that page.

From what I searched the solution is using a HttpHandler to build CSS and JS, and then change authorization on those handlers.

I did on web.config
XML
<httpHandlers>
         <add verb="*" path="css/*.css" type="handler.MyHttpHandler, handler" />
      <add verb="*" path="Script/*.js" type="handler.MyHttpHandler, handler" />
</httpHandlers>

and created a class Myhhtphandler

<pre lang="cs">

public class MyHttpHandler : IHttpHandler, IReadOnlySessionState
{
    public void ProcessRequest(HttpContext context)
    {
       
            context.Response.Redirect("/login.aspx?retUrl=" + context.Request.RawUrl);
           
      
    }
    public bool IsReusable
    {
        get { return false; }
    }
}


I have two problems: I dont know if this correct, and I get an error "could not load file or assembly 'handler' or one of its dependencies. The system cannot find the file specified."

Sorry if the solution is too obvious, but I honestly dont know.

EDIT: I created a web.config dedicated on css folder a placed html handlers, this way I dont get errors but I still can access the css file through URL absolute path.

EDIT2:

Now using as simple as that: MyHttpHandler.cs:

C#
using System.Web;
using System.Web.Security;
using System.Web.UI;
namespace test
{
   public class MyHttpHandler : IHttpHandler
   {
      public void ProcessRequest(HttpContext context)
      {
         context.Response.Redirect(
            "~/Downloads/Files/AccessDenied.aspx");
      }
      public bool IsReusable
      {
         get
         {
            return true;
         }
      }
   }
}


css/web.config:

XML
<?xml version="1.0"?>
<configuration>
  <system.web>

        <httpHandlers>
          <add verb="*" path="*.css"
          type="test.MyHttpHandler"/>
        </httpHandlers>

  </system.web>
</configuration>


Still dont work.
Posted
Updated 27-Dec-10 16:18pm
v4

1 solution

Change the Web.Config to,

XML
<add verb="*" path="css/*.css" type="handler.MyHttpHandler" />


I believe "handler" is your namespace.

IHttpModule is perfect for your scenario because Module is the one which gets execute first before all the request.

Refer here[^]
   
v2
Comments
Maxdd 7 27-Dec-10 22:02pm
   
Without the "namespace" dont work as well.

How should I use IHttpModule ?
Venkatesh Mookkan 27-Dec-10 22:07pm
   
Yes. It will not work without namespace. But the type="handler.MyHttpHandler, handler" the "handler" after comma is assembly name. I hope you know what is assembly name.

IHttpModule is as similar as IHttpHandler which with different function implementation. You have register Modules to your website using web.config like Handlers.

I have added the reference link in the answer section
Maxdd 7 27-Dec-10 22:09pm
   
Here it is:
<add verb="supported http verbs" path="path" type="namespace.classname, assemblyname" />

I'll take a look at ihttpmodule.
Maxdd 7 27-Dec-10 22:19pm
   
Meanwhile what do you think of my new implementation? (I edited my question). I really believe that shoulded work.
Venkatesh Mookkan 27-Dec-10 22:38pm
   
"Still don't work" - means? Are you still having problem in configuring the Handler?
Maxdd 7 27-Dec-10 22:46pm
   
Means that the handler simply dont work.

I thing the problem is related due to the fact I have to config the IIS. But the server I use does not allow that direct config.

I hope I'm wrong.
Venkatesh Mookkan 27-Dec-10 22:51pm
   
Web.Config:
<add verb="*" path="*.css" type="TestHandler.MyHttpHandler"/>


MyHttpHandler.cs:

namespace TestHandler
{
public class MyHttpHandler : IHttpHandler
{
#region IHttpHandler Members

public bool IsReusable
{
get { return true; }
}

public void ProcessRequest(HttpContext context)
{

}

#endregion
}
}

The above works perfectly for me.
Maxdd 7 27-Dec-10 22:59pm
   
Well I dont understand.

Do you have your MyHttpHandler.cs: on /webroot? that web.config is on CSS folder ?

I just copied, pasted, and when I enter http://webroot/css/style.css

I saw all my css code
Venkatesh Mookkan 27-Dec-10 23:00pm
   
Place a breakpoint at the starting of ProcessRequest function and check if, you are able to go into the Handler?
Maxdd 7 27-Dec-10 23:04pm
   
No, ProcessRequest(HttpContext context) is not being executed.
Venkatesh Mookkan 27-Dec-10 23:07pm
   
Actually I using FileSystem Website. I switched to IIS mode, the css gets displayed. I understand the problem now. The problem is IHttpHandler. Write your restriction logic in IHttpModule and add it your website. You will be all set.
Dalek Dave 27-Dec-10 23:12pm
   
Good Answer
Kasson 27-Dec-10 23:15pm
   
Good call Venkatesh
Maxdd 7 27-Dec-10 23:17pm
   
Forgot to say (really tired), thanks for your conclusion.
Venkatesh Mookkan 27-Dec-10 23:33pm
   
I have build a website using IHttpModule which is a security guard (Authentication and validation) for my application. It is hosted in IIS 5.1, IIS 6.0, IIS 7.5 (Window 7 Pro & Server). You have to nothing to configure on the IIS and nothing to do with OS also. Just web.config setting is enough. You can search CP for better example on IHttpModule
Maxdd 7 28-Dec-10 0:16am
   
Thank you very much Mookkan.

First of all, I hope my deleted posts are really being deleted, because I'm posting many posts (i cant edit them so I delete them with the updates).

I solved part of the problem. I was using too many http modules. I realized I just need one - primary web.config. Altough now when I go through absolute path file is "not found" (what I want), my CSS and JS are not being loaded on the page.

I tried to solve the problem through web.config on css and script folders:

<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>



but dont work. Any ideas ?

Looks like ihttp module is blocking all .css and .js files, not the only ones on absolute path..
Venkatesh Mookkan 28-Dec-10 0:22am
   
<authorization>
<deny users="*">
</authorization>

Should work
Maxdd 7 28-Dec-10 10:12am
   
Unfortunately no, because the problem with at the handler.

I'm trying this way:

string filePath = context.Request.FilePath;
string absolute = context.Request.Url.AbsoluteUri;

context.Response.Write("path: " + filePath + " abs: " + absolute);

try
{

string fileExtension =
VirtualPathUtility.GetExtension(filePath);
if (fileExtension.Equals(".css") && (filePath == absolute))
context.Response.Redirect("nothing.aspx");
}

I get the CSS (the same) and the output:
path: /StickyNotes3.5/css/style.css abs: http://localhost:xx/StickyNotes3.5/css/style.css

So I'm really near.
Venkatesh Mookkan 28-Dec-10 10:19am
   
Maxdd7, You should listen. You have to use IHttpModule.
Maxdd 7 28-Dec-10 10:34am
   
Well, that's what am I using now.

In your answer, you referred me this link
http://msdn.microsoft.com/en-us/library/ms227673.aspx

And that's what I'm using.

Right ?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900