IIS Virtual Folder URL encryption

Question

We have a c# asp.net web application that, amongst other things, allows users to download previously uploaded files such as PDF's, Word docs etc. The asp.net app is served up via an IIS6 server and the file resources live on a different server.

When the user requests a file (i.e. click a button on the web form), we stream the file back to their browser, changing the ContentType appropriately.

This seemed a good way to avoid going down the IIS virtual folder route to serve up the file resources - which we had concerns about due to the potential for users to hack the URL. i.e. with a URL like https://mydomain/myresource/clientid/myreport.docx, a savvy user could have a good stab at guessing alternative cvlientid's and document names.

The trouble with streaming a Word document to the browser is that when the browser throws it at Word, Word treats it as a brand new doc, which means the original document's properties & margin info is lost.

Our users store metadata information in the Word doc properties, so this solution is not acceptable to them.

Serving up via IIS virtual folders solves that problem, but introduces the URL security problem.

So my questions are ...

Does anyone know how we can use URL encryption/decryption (or obfuscation) with IIS Virtual folders?
Or does anyone know of any open source projects that do a similar job.
Or does anyone have any sugestions on how to go about writing our own implementation of Virtual folders but with encrypted URLs?

Many thanks in advance.

ps. our web app is delivered over https

Answer 1

Sorry guys, in my question, I have made some incorrect assumptions.

What am I trying to do is persist the properties stored on a word document when they are delivered from server (using either Response.TransmitFile or via a virtual folder) to a client browser.

I set up a test scenario with an IIS virtual folder and dropped a docx file (that I know contains info in the title & subject properties) in my virtual folder's physical path.

I pointed my browser at the virtual folder alias and the browser popped up its message to either open or save the doc.

If I choose to save it, the saved docx still has the properties intact.

If I choose to open it fist and then save it from Word, the saved docx has lost the properties.

So I think I need to post a different question!

Answer 2

I don't have an answer but I have the SAME question for other reasons. THIS one:

Does anyone know how we can use URL encryption/decryption (or obfuscation) with IIS Virtual folders? Or does anyone have any sugestions on how to go about writing our own implementation of Virtual folders but with encrypted URLs?

Our reports are PDF, so we dont' have the docx issues above. But the paths are served up in a query string until it gets to the actual file being served, then the entire URL is used to get to the file. The security is done through a user DB and the paths have the USERID in them. This works fine, unless another user knows the whole path to the file, then he can pull it up without being authenticated, since it is not an asp page and no auth can be done at the file level. (Note, this app is in ASP and must remain so).

I thought about rerouting all requests using the IIS directory config to a page that verifies the user and gives them the original request. But then they could get into a loop since it is the same directory. Then I thought abuot rerouting authenticated users to a NEW virtual diretory pointing to the resource. That gives the same problem, though, in that browsing to the actual file is not authenticated. Then I thought about randomly assignign virtual directories every hour, and using that in the directory redirect config page. Better would be to hide the actual path, so the user could not send it to joe blow and have him be able to see the file without being authenticated. HELP ! I'm getting lost.

Thanks

Answer 3

You may find that the ClaimsAuthorizationManager class in "Windows Identity Foundation" does what you want. You get to implement whatever logic you like to determine who can download what without using "directory security".