Protect my pdf documents
-
Hi friends, I suddenly stuck up today will any one help me out. The problem is like this. I have a site in asp.net where to view pages login is required. I've used form authentication to solve this problem. Now after these pages are called they have links to pdf documents. these pdf documents are visible only if the user is a subscriber to this document.But once the URL is known, any body can know the directly access the pdf documents. Can it be possible with form authentication so that whenever the URL path to the pdf document is entered directly, the user is redirected to Login page.Also how could we distinguish that this user is a subscribed user or guest user and which of document he is allowed to see. Thank You Warm Regards:- Tech4U
-
Hi friends, I suddenly stuck up today will any one help me out. The problem is like this. I have a site in asp.net where to view pages login is required. I've used form authentication to solve this problem. Now after these pages are called they have links to pdf documents. these pdf documents are visible only if the user is a subscriber to this document.But once the URL is known, any body can know the directly access the pdf documents. Can it be possible with form authentication so that whenever the URL path to the pdf document is entered directly, the user is redirected to Login page.Also how could we distinguish that this user is a subscribed user or guest user and which of document he is allowed to see. Thank You Warm Regards:- Tech4U
You may want to consider creating an HTTP handler for the PDF requests. Instead of linking directly to the PDF, you would link to your HTTP handler, passing a document identifier in the query string. The handler would be responsible for handling user security and retrieving the PDF on the user's behalf. Sending the PDF via an HTTP handler would look something like:
using System;
using System.Web;
namespace Example
{
public class PDFServer : IHttpHandler
{
/// <summary>
/// Signals whether the instance of the HttpHandler is reusable
/// accross requests.
/// </summary>
///
/// <value>True if the instance is reusable, False otherwise</value>
///
public bool IsReusable
{
get
-
You may want to consider creating an HTTP handler for the PDF requests. Instead of linking directly to the PDF, you would link to your HTTP handler, passing a document identifier in the query string. The handler would be responsible for handling user security and retrieving the PDF on the user's behalf. Sending the PDF via an HTTP handler would look something like:
using System;
using System.Web;
namespace Example
{
public class PDFServer : IHttpHandler
{
/// <summary>
/// Signals whether the instance of the HttpHandler is reusable
/// accross requests.
/// </summary>
///
/// <value>True if the instance is reusable, False otherwise</value>
///
public bool IsReusable
{
get
-
You may want to consider creating an HTTP handler for the PDF requests. Instead of linking directly to the PDF, you would link to your HTTP handler, passing a document identifier in the query string. The handler would be responsible for handling user security and retrieving the PDF on the user's behalf. Sending the PDF via an HTTP handler would look something like:
using System;
using System.Web;
namespace Example
{
public class PDFServer : IHttpHandler
{
/// <summary>
/// Signals whether the instance of the HttpHandler is reusable
/// accross requests.
/// </summary>
///
/// <value>True if the instance is reusable, False otherwise</value>
///
public bool IsReusable
{
get
Thank u Jesse. I proceded as u have guided and the outcome is good, but now my program only distinguishes between authenticated user and anonymous users. I need a method from which I can know whether the said user is a subscriber to that document or not. Now suppose a situation can be created like this:- A person X has subscribed a document "abc.doc" now X is able to see the document and also can see the full URL. Now if he copy the url and give it to other person Y. Then Y can do these steps to see the document 1)Login 2)paste the url given by X Then he will be able to see the document, even if Y is not a subscriber to that document. Please help to rectify this. Thank U.
-
Thank u Jesse. I proceded as u have guided and the outcome is good, but now my program only distinguishes between authenticated user and anonymous users. I need a method from which I can know whether the said user is a subscriber to that document or not. Now suppose a situation can be created like this:- A person X has subscribed a document "abc.doc" now X is able to see the document and also can see the full URL. Now if he copy the url and give it to other person Y. Then Y can do these steps to see the document 1)Login 2)paste the url given by X Then he will be able to see the document, even if Y is not a subscriber to that document. Please help to rectify this. Thank U.
I'm afraid that I don't see a quick answer to this. You're going to have to come up with a security strategy. You will need to set up some kind of way to distinguish who has access to a given document. There are a couple of strategies that come to mind. If you find that document permissions are grouped in some kind of pattern, then you will probably want to consider a role-based[^] security solution. Basically, what this means is that you'll define the general groups that the documents fall into, and associate a user with each group. The search that I linked has tons of good examples. I'd start with Heath Stewart's article[^] here on CodeProject. If you can't discern any grouping patterns, then you will most likely have to devise a system of associating a user with an individual document. The easiest approach that I can think of to do so would be a simple table in a database that matches the user id and the document id. Hope that helps a bit. :) --Jesse
-
Who's that? Ahh Jesse Squire! Welcome back :-D ! How are you? You have been quiet for a long time.
Hiya Minh! Congrats on the 2006 MVP. I see you've been taking good care of the place while I've been gone. :laugh: I'm doing well, thanks for asking. I got clobbered by a couple of huge projects at work which burned me out for a bit. How's everything on your end? --Jesse
-
Hiya Minh! Congrats on the 2006 MVP. I see you've been taking good care of the place while I've been gone. :laugh: I'm doing well, thanks for asking. I got clobbered by a couple of huge projects at work which burned me out for a bit. How's everything on your end? --Jesse
-
You may want to consider creating an HTTP handler for the PDF requests. Instead of linking directly to the PDF, you would link to your HTTP handler, passing a document identifier in the query string. The handler would be responsible for handling user security and retrieving the PDF on the user's behalf. Sending the PDF via an HTTP handler would look something like:
using System;
using System.Web;
namespace Example
{
public class PDFServer : IHttpHandler
{
/// <summary>
/// Signals whether the instance of the HttpHandler is reusable
/// accross requests.
/// </summary>
///
/// <value>True if the instance is reusable, False otherwise</value>
///
public bool IsReusable
{
get
Hi Jesse, I need to work on designing a portal for secured software distribution downloads. I think you code snippet will help me lot. I have a small query. Does this mechanism work fine with huge value of data file? say i have an install of 100 MB. Does this work fine? Please do let me know. Thanks Harinath India
-
Hi Jesse, I need to work on designing a portal for secured software distribution downloads. I think you code snippet will help me lot. I have a small query. Does this mechanism work fine with huge value of data file? say i have an install of 100 MB. Does this work fine? Please do let me know. Thanks Harinath India
Technically, I believe it would work. However, I wouldn't advocate it as written for heavy use with large files. The drawback to my code is that the files being passed through the HttpHandler are being read into memory then dumped to the response buffer. For your purposes, I spend a bit more time looking into securing that directory. You're not the first person to tackle this, so I'd have to imagine that sifting through Google may yield some gems. If you were interested in experimenting a bit, you could try more of a streaming approach to the HttpHandler. You could use the same basic method, but instead of reading the entire file, use a binary reader to get a chunk of bytes, pass it to the response string, flush the response buffer, and repeat until done. That should lower the memory footprint [may also impact the speed a bit]. The disclaimer here is that I'm throwing an idea off the top of my head. I haven't tried it, but it may be worth some experimentation. If you do decide to go this route, please check in and let me know the results. Best of luck. :) --Jesse
-
Technically, I believe it would work. However, I wouldn't advocate it as written for heavy use with large files. The drawback to my code is that the files being passed through the HttpHandler are being read into memory then dumped to the response buffer. For your purposes, I spend a bit more time looking into securing that directory. You're not the first person to tackle this, so I'd have to imagine that sifting through Google may yield some gems. If you were interested in experimenting a bit, you could try more of a streaming approach to the HttpHandler. You could use the same basic method, but instead of reading the entire file, use a binary reader to get a chunk of bytes, pass it to the response string, flush the response buffer, and repeat until done. That should lower the memory footprint [may also impact the speed a bit]. The disclaimer here is that I'm throwing an idea off the top of my head. I haven't tried it, but it may be worth some experimentation. If you do decide to go this route, please check in and let me know the results. Best of luck. :) --Jesse