Securing static content

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
10/1/2010 10:57:15 AM
Graham
Gravatar
Total Posts 5
View Posts

Securing static content

I'm looking for a way to secure static content (non-ASP.NET files like images, etc.) and found these two links which recommend the same thing for IIS 7:

http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/

http://weblogs.asp.net/hosamkamel/archive/2008/12/15/secure-file-download-area-using-iis-6-0-and-iis-7-0.aspx

I added those lines to the <modules> tag of the mojoPortal web.config and it didn't work.  Is there something I'm missing or a different way to do this with mojoPortal?  The files I'm interested in securing are on the "Web\Data\Sites\1" path.  I also tested a file just on the "Web" path and it didn't work there either.

10/4/2010 1:15:45 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Securing static content

Making ASP.NET handle requests for static files does not automatically add any security at all, all it does is make ASP.NET serve the file instead of just letting IIS serve it. To actually protect files you would have to implement some custom HttpModule that checks permissions somewhere for the requested file url and decides whether to serve it or not. So you would need to have somewhere to store information about what roles can access what static files and check the current user's roles to decide whether to allow serving the file, just like we check a users roles against page allowed view roles.

Doing this on static content under /Data/Sites/1 would be kind of a bad idea since content uploaded there may be used in pages. While it is technically possible to do it with a custom httpmodule, it would add a lot of overhead to processing requests if you are going to lookup permissions on every file requested.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.