Security :: Protecting Documents In Application?
Aug 28, 2010
There is an ASP.NET application www.example.com/APP. From within the application several documents - for example office documents DOCX, PDF, etc. - can be opend. They are accessed via some virtual directory as in
www.example.com/APP/VIRTUAL/letter.pdf.
Of course, the documents may only be accessed from within the application, after the user has been identified succssfully. Some documents may only be opened by some privileged users. It should be impossible to open letter.pdf by simply entering the above url into a browser
I am thinking about the following...
The name of the virtual directory is kept secret. After the user has successfully logged into the application, some secret is created. The secret contains the user's ID and some time information (valid from / until). Then, if a document is to be referenced from within the application, the url www.example.com/APP/<secret>/letter.pdf is referenced. In IIS the secret is checked. For this, some of my code is called, when serving a request. If successfull, the url is rewritten as www.example.com/APP/VIRTUAL/letter.pdf. I tried several components, such as the IIS URL Rewrite, IHttpModule, IHttpHandler. Unfortunately, I did not yet succeed.
View 2 Replies
Similar Messages:
Jan 22, 2010
i am using asp.net with vb
i have one page with registration.aspx.
i want that if any one wants to access that registration page he have to go through login.aspx page .
may be he write the page name (registration.aspx) in url, automatically it get redirect on login.aspx.
View 19 Replies
Nov 11, 2010
I'm using the following code which autheticates a user and redirect him to a members webpage. This works however if I access the protected page directly I bypass the security. Do I need a check in the OnLOAD for each page? My second question is how to say hello username on the members page. What variable can I reference to display the username?
[Code]....
View 5 Replies
Jun 23, 2010
I have a business site that I want to use to show clients their projects I am working on. I don't want these projects to be visible to anyone but the clients, so I give them a user ID and password. I want to use asp.net membership to manage the login IDs and passwords, but I want to use jquery to submit the login form (it's lighter and leaner than the login control). Here is what I have: Page with an html form for login .js file with the jquery calls & code in it httpHandler to process the information from the formI have the user to entering their ID and password, I am using jquery.forms.js to process the form, which calls the httpHandler and passes the form values to the handler. I have the handler check to see if the user ID and password are correct, if not, it passes back a message to be displayed to the user. If the user is valid, then I have it passing back the role of the user, which also happens to be the name of the folder the client needs to view. I have the page redirecting via javascript to the client's folder once they are authenticated. I have the location of the client folder setup in my web.config.
The problem I'm having is the page just redirects back to the login page, with the return url included (?ReturnUrl=%2fCTS%2f2010+Design%2fLasmer%2findex.aspx). I want it to go to the client folder (Lasmer in this case) once the user has been authenticated. Shouldn't it send me to the folder's default page once it knows the user is authenticated? Do I have a problem in the way my web.config is wired up, and do I need anything in the client folder's web.config?Here is the code for the web.config:
[Code]....
Here is the code for the handler:
[Code]....
Here is the code for the .js file:
[Code]....
Here is the code for the page:
[Code]....
View 8 Replies
Feb 24, 2010
I am working on a video streaming project, objective is to upload video to content provider's server and play it to the authenticated user only, it should not be accessible to unauthorized users, content provider provided APIs and Endpoints to pass security options but it seems not working when I pass those parameters to API along while uploading video streaming file, I need to know how I can do that, is there any other way that I can use rather than Content Provider's API Endpoints
View 1 Replies
Sep 9, 2010
I'm working on a website where it should be possible for registered users to upload word documents. The administration of users is done through Membership and Profiles. When the documents have been uploaded, the following needs to be achieved:Non-registered users should not be allowed to download documents I should be able to control which users that has access to which documents I should be able to register which user downloads which documents I should be able to track how many times a document has been downloaded
Can this be achieved be using Membership and Profiles?
View 1 Replies
Jan 27, 2010
I'm building a web application that most allow the user to digitally sign PDF documents with certificates installed in the client machine.
The document, once signed, should be posted back to the server, where it will store the signed version.
The server is running Classic ASP/ASP.NET
View 8 Replies
Mar 24, 2011
I have an application with several web pages. I am developing securities for those web pages.
Thus, I would like to create a dropdownlist that reflects the various aspx pages, or files inside my application. I would prefer that it reflected the aspx pages only and avoid the .cs files and config files and etc. I'm not even sure that this is possible. Is it? If so how? if I can't filter like that I would still take it.
View 1 Replies
Feb 22, 2011
some concrete example of system engegnerring applied on web application?I read a lot of books about uml on web appliation. But i need an concrete example of all documentation about a web application.For example document of analisys, project, databas
View 10 Replies
Apr 8, 2010
I am using NeatUpload file upload control: but issue can be generic i am thinking .. that's why posting on asp.net site...
Code works fine on my DEV machine (both file system and localhost) but when i deploy the code on Staging or Prod (on web server)... upload feature works fine but when I try to access the uploaded documents from staging server or Prod server, it says Access denied and cannot open the PDF document??
tried all the options but could not solve this issue... is this related to control or settings on my IIS...
before using NeatUpload(single upload) we were using microsoft upload control and it works fine in accessing the documents....
again upload works perfectly fine... the issue is accessing the documents..
I am using :
try
{
saveLocation = <paht name> + fileName;
FileUpload1.MoveTo(saveLocation, MoveToOptions.Overwrite);
}catch{<some return value>}
finally
{
FileUpload1.FileContent.Position = 0;
FileUpload1.FileContent.Flush();
FileUpload1.FileContent.Close();
FileUpload1.FileContent.Dispose();
FileUpload1.Dispose();
GC.Collect();
}
View 7 Replies
Mar 3, 2010
provide secure online access to documents and reports for their customers which entails creating a secure login for clients to access PDF documents to view and print. Aslo to display all reports available on web server.ould this be as simple as making sure username & password match an entry in a username table using select parameters(of course) theninstituting a Session("loginokay") = True along with something like Session.Timeout = ?
View 5 Replies
Oct 28, 2010
I want to be able to control access to photos and PDF documents at run time.
I want users to be able to download the photos and documents as soon as they pay for them instead of having to wait for me to email the items to them.
What's the best way to do this? I am using VB.net, SQL Server, and ASP.net.
I am entry level to lower-middle in my programming skills, but can usually follow along.
View 3 Replies
Apr 14, 2010
I have images displayed in a website behind a username and password that is accessed by our customers. I have put in some simple measures to prevent users from copying these images. E.g placing an opaque image over the core image so that when users right click and save the image all they get is the opaque image.
I have concerns that customers could easily pass on their user credentials to competitors who can then freely view all the images.
View 2 Replies
May 8, 2010
Is there a way that a hacker or someone who wants to copy my software logic, can reverse engineer the business logic that I have in a webservice?
Is there a way to protect such information?
My development platform in .net asp.net and C#
View 3 Replies
Jun 9, 2015
I have an ASPNET Application (C#) that runs on my company intranet. This application allows the users to attach PDF files against records.
I am trying to get that PDF uploaded in such a way that whenever the user initially uploads (the uploaded PDF will always be unlocked PDF), the user name would be stamped on the PDF file and the files is locked by my application so that the user cannot change the PDF again, even when having a PDF Writer. Whenever required the application should allow the user to unlock the PDF and then allow the user to edit the PDF.
View 4 Replies
Oct 26, 2011
Now since i'm securing the site i've noticed that the location element does not get much attention.The only thing i have found is that you can use <location path="" allowOverride="false"> on machine.config .I'm not sure how this goes but if you need to use this one every page then i will have multiple problems.First if i have a page with the same name on another website there is trouble and also if i need to update pages again problem.What i'm not sure of is if the location element on machine.config i just used once and then magically every site you have will throw an exception if a hacker changes you web.config.I have doubts and it's confusing and if i play with the server web.config,well i don't wanna mess with that.
So i also tried to encrypt the location element but i cannot find an example(can you encrypt it?).I can encrypt authorization and authentication but i will not go inside the location element.Just the standard authorization and authentication nodes.How can i secure the web.config location element so no hacker can change the allow,deny,etc.
[URL]
View 8 Replies
Mar 2, 2011
I have an asp.net repeater control with a series of asp:hyperlink's
<asp:HyperLink runat="server" ID="name" NavigationUrl="~/Pages/display.aspx?fileid={0}&user={1}" />
and then on the OnItemDataBound method:
fullname.NavigationUrl=string.Format(name.NavigationUrl, user.fileid, user.userid);
So that gives me a series of URLs in the repeater:
[URL]
OK, so with a simple proxy tool someone can replace either of the parameters with some OTHER number to get access to what they shouldn't see.
server-side validation and authentication aside, is there a better method other than passing parameters when trying to create a dynamic URL within a repeater?
View 2 Replies
Nov 3, 2010
Does precompilation have any effect on XML files? i.e. can I obscure/protect xml files using precompilation? I assume that it has no effect as they aren't code.
If I use XML files as Embedded Resources, they appear in the DLL in a text editor as normal text. If the dll is edited and saved using a text editor, will it still work if it is unsigned?
View 2 Replies
Jan 18, 2011
I've read up on SQL Server 2008's encryption function, but I'm not convinced that's the route I want to go. My problem ultimately boils down to the fact that we're either using symmetric keys or assymetric keys encrypted by a symmetric key. Thus it seems like a SQL injection attack could lead to a data leak. I realize permissions should prevent that, permissions should also prevent the leaking in the first place.
It seems to me the better method would be to asymmetrically encrypt the data in the web application. Then store the private key offline and have a fat client that they can run the few times a year they need to access the restricted data so the data could be decrypted on the client. This way, if the server get compromised, we don't leak old data although depending on what they do we may leak future data. I think the big disadvantage is this would require re-writing the web application and creating a new fat application (to pull the restricted data). Due to the recent problem, I can probably get the time allocated, so now would be the proper time to make the recommendation.
View 3 Replies
Sep 14, 2010
I am working on an application that has several user controls (.ascx) of which I do not want to give away the code of. I have tried to search about it, but didn't get very far. I am using visual web developer 2010 express edition, so I cannot publish my website. Also, it doesn't have dotfuscator. What can I do?
View 11 Replies
Jan 30, 2010
I have two .NET applications X and Y
a. I want to have User A as a common user for both application X and Y.
b. User A can have different roles on X and Y. Eg. Read permission on Y and Write Permission on Y.
How do i configure ASP.NET membership to achieve about functionality.
View 3 Replies
Mar 17, 2011
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
View 1 Replies
Apr 2, 2013
Error:Â
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.Local its run fine. when i place in iis. it throw this exception.
View 1 Replies
Aug 9, 2010
My website security is configured with "Windows Integrated Security" only (anonymous is disabled).
I also want to set a specific account to run the w3wp.exe process using the
Application Pool Identity to a domain account.
Running directly from the server works without any problem but from remote computers I always get the authenticaion window then the 401.1 error (after 3 attempts).
It seems that its the combination of "Windows Integrated Security" along with the "Application Pool Identity" that causes the problem. When I disable one of the two it works properly.
My server is Windows Server 2003 R2, running IIS 6.0.
View 1 Replies
Feb 17, 2010
i developed an asp.net(2.0) applicaions which contains the attachments of the clients . these attachments are saved in the shared folder and retrive the file when the user requests.if i maintain the application and the shared folders in the same system it will work properly.if i maintain the application in one server and the file folder in the other server i face a lot of security issus like1.Access Denied2.Couldnot find the part of the path......for this i made an common account for the application server and the file server and also set impersonation to true.Even the i got the couldnot find the part of the path error.i already gave the everyone with full control to the shared folder and i added the common account and gave it to full controlIs there is any alternate for the save and retrive the files to and from the shared folder.
View 3 Replies
