tags:

views:

366

answers:

3
Q: 

How do I restrict access to pdf files on my server?

I am using ASP.Net MVC. I have restricted access to the web site using ASP Forms authentication. However, the web pages contain links to pdf files on the server which I also want protected.

For example, the user can browse to foo.com and foo.com/account/logon. Once they logon they can access foo.com/category/bar which presents the view in bar.aspx. On that view is a link to foo.com/files/theta.pdf which loads up in the browser just fine. However, I don’t want foo.com/files/theta.pdf accessible from the browser unless the user has authenticated.

How do I prevent a user from accessing foo.com/files/theta.pdf directly from their browser without first authenticating at foo.com/account/logon?

+4  A: 

Pass the request through a controller, and return a FileResult. You can apply whatever security you want to the controller method, either by using the Authorize attribute, or by checking permissions inside the controller method.

There is an example of such code at this question, which illustrates how to return an image file. Just return your pdf instead of the image file, and use application/pdf as the MIME type.

Robert Harvey  2010-03-03 00:54:43
Thanks. I changed the controller to accept a parameter identifying the file, then constructed the path and returned a FileResult. That had the desired effect of displaying the PDF. However, a user could still add the entire link in the browser and bring it up. I tried adding the location element to the web config as suggested by Charles but that didn’t do the trick (perhaps I did something wrong). I was able to get the desired effect however by adding a “deny” rule on that folder using IIS Manager. So now the user cannot display the PDF directly.
Jeff Rubingh  2010-03-04 02:37:36
`However, a user could still add the entire link in the browser and bring it up.` -- That's why you add the Authorize attribute to the controller method, to restrict access to only those users that are assigned to the proper role. If the user types in an Url, access to which he is denied, he can be redirected to a Login or Unauthorized page instead of returning the `FileResult`. This is the same security you would add to *any* controller method to allow or deny access based on the user's assigned roles. More info here: http://nerddinnerbook.s3.amazonaws.com/Part9.htm
Robert Harvey  2010-03-04 02:52:00
+2  A: 

If you want to restrict all access to the /files directory you could simply use a location element in your web.config to restrict access.

E.g.

<location path="~/files">
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</location>

I should add that I agree with Robert and Rob for advanced security, but if you just want a simple solution this should do the trick. :-)

HTHs,
Charles

Charlino  2010-03-03 01:09:18
A: 

Use FileResult, which I believe is a built-in ActionResult. This will send back binary data that you can have all kinds of authorization around:

http://msdn.microsoft.com/en-us/library/system.web.mvc.fileresult.aspx

Rob Conery  2010-03-03 04:52:43

related questions

Zend_Pdf_Page::drawContentStream() Example?
Convert a .doc or .pdf to an image and display a thumbnail in Ruby?
Placing a PDF inside another PDF document with Zend_PDF
Open source PDF library for C/C++ application?
Opening a PDF in WPF Application
How to best merge information, at a server, into a "form", a PDF being generated as the final output
How does one decrypt a PDF with an owner password, but no user password?
How does google make make those awesome PDF reports in Analytics and when you print a Google Doc etc?
What's a good method for extracting text from a PDF using C# or classic ASP (VBScript)?
File format for generating dynamic reports in applications
Automated PDF Creation from URL
How do I display a PDF in Adobe Flex?
Latex=>PDF Rights management
Why is my PDF footer text invisible?
Python module for converting PDF to text
What's the best way to import/read data from pdf files?
Are e-book readers good enough for tech books?
PDF generation from XHTML in a LAMP environment
Create PDFs from multipage forms in WebObjects
Printing a PDF in .NET
PDF Creation Tutorials?
PDF Editing in PHP?
Organizing Documents
Get a preview jpeg of a pdf on windows?
How do I programmatically create a PDF in my .NET application?