Protecting Static Files

Protecting Static Files

mojoPortal uses ASP.NET role security to secure pages and modules within the system. However, you may also need to secure static files within the web tree to only be accessible by logged-in users, or those in specific roles.

Securing By Role

For example, consider a company Intranet site, which is secured so that only company employees are allowed access. To enforce this security in mojoPortal, the administrator grants all employees an "Employee" role, and all pages and content features are visible only to administrators and those with the Employee role.

Because the site is secured and requires sign-in, none of the page content and links within the site can be indexed by search engines. However, if an unauthorized person knew or guessed a static file name, it would still be possible to view the file by direct URL (e.g. https://intranet.mycompany.com/Data/Sites/[sitename]/media/pdfs/CompanySecrets.pdf).

To prevent this direct access, you can place a small web.config file at the root of the folder tree you want to secure. In our example, we'll place the stub web file in the media folder of our example site (\Data\Sites\[sitenumber]\media).

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location inheritInChildApplications="true">
   <system.web>
     <authorization>
       <allow roles="Employee" />
       <deny users="*" />
     </authorization>
   </system.web>
  </location>
</configuration>

NOTE: Do not put these settings into the web.config at the root of your mojoPortal installation, as that will break skins and likely cause many other issues for anonymous users.

Once the file is in place, when an unauthenticated user attempts to load a static file in that folder or below, they will be redirected to the site login page. If they authenticate and have the Employee role, they will be served the file. If they fail to authenticate, or authenticate but do not have the Employee role, they will receive an error message in their browser.

Securing by Authenticated Status

If you want to allow any authenticated user to access the protected static files, use the same stub file as above, but change the authorization section like this:

<authorization>
 <deny users="?" />
</authorization>

Last Updated 2015-02-05 by Jamie Eubanks