0

I have an executable that I want to restrict who is able to download. I have UI trimming in place so the link is not present when the user is not authorized to download the executable. And I put a rule into the web.config to protect the resource from unauthorized downloads, but it doesn't seem to be working.

<location path="Utilities/SomeTool.exe">
  <system.web>
    <authorization>
      <allow roles="SomeRole" />
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

What I see when I try to download the resource is the login page, which would be expected if the user didn't belong to the role that should be able to download the resource.

I can change the rule in the web.config so it allows a specific user, and I am able to access the executable with that particular user, but that won't work, as I'll need to modify the access rule for every user added to the role.

<location path="Utilities/SomeTool.exe">
  <system.web>
    <authorization>
      <allow users="MyUserName"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

I have already setup the web.config to take advantage of the Integrated Pipeline in IIS7, by removing and re-adding a list of modules as directed on this page. This should setup my website to treat all resources as if they are ASP.NET resources.

Is anyone aware of what I might be missing in the configuration of IIS7 to protect the executable?

I have thought of other solutions that I could implement instead to protect the executable from an unauthorized download, such as creating a web service that the link would call into and return the resource. Then inside the web service I could perform the validation of the user's role before returning the executable. But that seems like it is more work than I should need to go through.

Here is the system.web section of my web.config:

<system.web>
  <compilation debug="false" targetFramework="4.0" />
  <httpRuntime enableVersionHeader="false" requestValidationMode="2.0" />
  <customErrors mode="RemoteOnly">
    <error statusCode="404" redirect="~/MyErrorPage.aspx" />
  </customErrors>
  <authentication mode="Forms">
    <forms timeout="60" ticketCompatibilityMode="Framework40" />
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
  <sessionState timeout="60" />
  <membership defaultProvider="MyMembershipProvider">
    <providers>
      <clear />
      <add name="MyMembershipProvider" type="MyMembershipProvider" applicationName="MyApp" />
    </providers>
  </membership>
  <roleManager defaultProvider="MyRoleProvider" enabled="true" cacheRolesInCookie="true" cookieTimeout="60">
    <providers>
      <clear />
      <add name="MyRoleProvider" type="MyRoleProvider" applicationName="MyApp" />
    </providers>
  </roleManager>
</system.web>

As a side note, the web.config works with my web site when it is hosted in Visual Studio 2010, but it fails when running in IIS7.

Update: I have tried to protect different resources both *.html and *.aspx pages based on role and I see the same issue, of being redirected to the login page even though the user does belong to the appropriate role.

Thanks in advance.

JG in SD
  • 5,427
  • 3
  • 34
  • 46
  • Please post your authorization config - so we can all see how your are achieving your roles. On another note: I assume you are saying that you DO belong to the "SomeRole" role, but the website is kicking your to the login page, when it should be allowing the download? – Adam Jul 11 '12 at 23:30
  • @Adam I'm not certain on what you mean by the authorization config, if you mean the system.web/authorization section then I have it posted. Otherwise please be a little more specific to what you mean. And yes, the user I'm using to download the executable does belong to the correct role. – JG in SD Jul 12 '12 at 15:26

1 Answers1

0

You have already mentioned IIS7 integrated mode to attempt to get the ASP.net handler to be invoked for all files types...

You can read more about it here: URL-authorization and non-Asp.Net related file types And here: Does web.config authorization work on files other than aspx?

Off the top of my head, I would at least attempt to put all your private files in a sub-directory, and apply the location security to the directory, rather than the actual file itself. This may fix your issue.

Personally, I would secure a directory path, rather than a file anyway, as it future proofs against changes in the file name.

Community
  • 1
  • 1
Adam
  • 4,159
  • 4
  • 32
  • 53
  • This can't be the issue here. Op says it works fine when using a username instead of role. – Andrew Barber Jul 11 '12 at 23:54
  • Thanks for the advice on protecting the folder instead of the file. Unfortunately this does not work. I posted an update, it seems my problem is a little more than just securing an *.exe, I can't protect any resource by role and have it work. – JG in SD Jul 12 '12 at 15:43