Asp.net serving statics files

Asked

Viewed 877 times

3

I have an application in mvc3 (Asp.net 4.0, dotnet 4.0), running at iis8 (but also running at iis 7 and iis 7.5).

Inside the application I have a folder called /dados, example localhost/minhaapp/dados.

My clients save HTML files inside this folder, and these HTML files are accessed by the system done in mvc3.

But users are accessing the files directly through the browser URL, example localhost/minhaapp/dados/relatorio1.html, instead access via an internal system option made in mvc3.

  • Block access via GET method of the HTML files in the folder /dados?

But I want the system done in mvc3 to be able to access these files via POST method. This is not the safest method, there must be many other possibilities, but if you can do that you’d be fine.

I tried various shapes, rewrite, modules, urlmapping, mvc controler, etc, but none of these captures the browser request for static files. I know that static archive are served directly by iis.

  • But there is some way Asp.net can intercept static file requests?

  • If not possible via Asp.net, have some configuration that works in us Iss 8, 7.5 r 7?

I can not change to another folder, or save the files otherwise, IE, by internal issues (internal policies, already being so and very widespread and used by multiple clients), the form and location as the files are saved, CANNOT BE CHANGED.

c# asp.net-mvc

  • A tip that might help: Save the file under the encrypted name (e.g., from ".html file" to "123asd.html"). So when the user tried to force the access it would not be able since it would not find file using the real name.

  • I also thought about it, but the file is saved via Excel by the user, so I would have to create a service to monitor the directory, and keep renaming. I hope there’s another way, or else I’ll have to do it.

3 answers

3

You inform the ISS that every request must go through it. IIS does not apply permission on static files.

In his Web.config put the following code:

<configuration>
    ...
    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" />
    </system.webServer>
    ...
</configuration>

  • Yes I tried that, but still, requests for static files do not arrive in the app. I tried with global.asax and creating a module, in none of them, the request arrived in Beginrequest. OBS: IIS requires to use a POOL in Classic mode. There’s some other way to do it?

2

I managed to make it work, I put runAllManagedModulesForAllRequests="true", I changed the application pool to integrated mode, and I put the Begingrequest method in global.asax, I restarted the application, and now it’s capturing all the requests.

1

As I have answered here, this is the way incorrect to make static files available in your application.

Block access via GET method of HTML files from the /data folder?

Yes, creating in your Controller a method Index to prevent access to the root, or else a file index.html emptiness.

But there is some way Asp.net can intercept (sic) requests for static files (sic)?

It has. You just need to make a method in your Controller return a FileResult.

Additionally, it is good to set a route that always redirects to Index, in case your user tries to access the file directly:

App_start/Routeconfig.Cs

routes.MapRoute(
            name: "Dados",
            url: "dados/{id}",
            defaults: new { controller = "Dados", action = "Index", id = UrlParameter.Optional }
        );

  • Yes I understand that is not the right way, but this is not in my control unfortunately, and what you suggested does not address the problem in the current situation, unfortunately. There is no way Asp.net/mvc3 can intercept requests for static files?

  • 1

    @Juniorc-Sharp-Asp.Net Resolve yes. FileResult returns any file in any directory that can be mapped by the server. Anything other than this is improperly exposing the directory topology of your application.

  • Um, I think I get what you’re saying. I did according to your suggestions, but it still allows you to access the files in localhost/Data/Report1.html. I cannot change the current situation, where certain users save static files (html) in the system data folder, which "should" be accessed internally by the system, and not manually by the user.

  • 1

    @Juniorc-Sharp-Asp.Net In this case you still need to configure a special route to redirect the request always to the method Index of your Controller. I’ll improve the answer.

  • This all works as you commented, I created a new mvc3 application to do the tests. But it stops working when the "Data" directory is created. If you only have the data controller, ok, but after creating the directory again allow access to the file, and no longer work the special route created. You’ve reached the forehead in these situations?

  • @Juniorc-Sharp-Asp.Net Yes, indeed there was an error. Look now.

  • I tested your correction but the behavior remains the same. Any other suggestions? I was reading the Asp.net pipeline/Cycle, and I couldn’t find a way to do it.

Show 2 more comments

Browser other questions tagged c# asp.net-mvc

You are not signed in. Login or sign up in order to post.