Easy File Protection in Umbraco

By Ricky Beard on Tuesday, September 29, 2009
6 Comments
 

File protection is a common requirement when building Umbraco applications (or any ASP.NET app for that matter). In fact Dirk De Grave is currently working on a project called Protected Media that could eventually provide this functionality in a package.

While building NCEExam.com, I used a different approach to solve this problem. While I am not sure this is the best way to accomplish file protection, it is very flexible and requires no configuration in IIS. If you have ever worked with DotNetNuke (first off, I'm sorry) you may recognize this.

First, simply add the file extension .resources to the end of any file you wish to protect. You can do this manually before uploading the file, or create a custom upload datatype to handle this for you. The .resources file extension is already mapped to the .NET runtime in IIS and, unlike .aspx, it is never served to the client.

Next, create a document type and add a generic property to it using the Upload datatype. You can leave the template empty. Now, use this document type to upload files anywhere in your content section.

You will need a user control to handle the file download. I have the following method in my user control to handle this:

private void ServeFile(string FileName)
{
    string strFileName = Server.MapPath(FileName);
    string strFileId = strFileName.ToString().Replace(".resources", "");
    string strFileExtension = Path.GetExtension(strFileId);

    FileInfo fInfo = new FileInfo(strFileName);
    Response.AddHeader("Content-Length", fInfo.Length.ToString());
    switch (strFileExtension)
    {
        case ".pdf":
            Response.ContentType = "application/pdf";
            break;
        case ".zip":
            Response.ContentType = "application/zip";
            break;
    }

    Response.AppendHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(strFileId));
    Response.Clear();
    Response.TransmitFile(strFileName);
    Response.Flush();
    Response.End();
}

Gather the file url from the generic property you created earlier and pass it to the ServeFile method (FileName). Next, strip off the .resources extension. Then, just set the content length and content type and transmit the file using Response.TransmitFile. You could easily extend the switch statement to handle any number of content types or even add a new generic property to your document type to store it.

Lastly, create a macro to serve this user control and slap it on the empty template you created earlier. Then, simply use the url of the document in the Content section (via Content Picker or manually) to serve the file. You could even add protection to the document for added security, but it is not required.

One drawback to this method is that every file you upload will have a document in the Content section. This is not a big deal, but something worth noting.

Comments

  1. Gravatar of Dirk De Grave By Dirk De Grave on Monday, October 05, 20091
     
    Another great approach to protecting files from unauthorized downloading. And a simple approach as well! Great work and thanks for sharing this as well!
  2. Gravatar of Petr Snobelt By Petr Snobelt on Tuesday, September 29, 20092
     
    You can protect any extension you want by adding
    <httpHandlers>
    <add verb="*" path="*.myextension" type="System.Web.HttpForbiddenHandler" />
    </httpHandlers>
  3. Gravatar of Ricky Beard By Ricky Beard on Tuesday, September 29, 20093
     
    Great idea Petr. However, I do not want to have to touch IIS and map the new extension to the .NET runtime. I just want it work "out of the box".
  4. Gravatar of Petr By Petr on Wednesday, September 30, 20094
     
    You do not need touch IIS, add it into web.config
  5. Gravatar of Ricky Beard By Ricky Beard on Wednesday, September 30, 20095
     
    I undestand that it goes in the web.config. However, you still have to confiigure IIS to forward any request for your new file extension to ASP.NET. If you don't, the request will never be processed by ASP.NET and the web.config will never come into play.

    See http://support.microsoft.com/kb/815152.
  6. Gravatar of Petr By Petr on Wednesday, September 30, 20096
     
    You are right, I remember that :-).
    On IIS6 I usually use .config extension, which is already maped...
 

Leave a Comment

Name  [Preferably your real name]
Email  [Not shown, for gravatar only]
Website  [Optional. Include http://]
Comment  [No markup allowed. 2000 characters max.]
 

Tags

 

Archive

 

About Me

I am a Founder and Managing Partner of Trio Technologies and Trio Merchant Services in Abilene, Texas. I have a beautiful wife and two incredible sons.

Popular

Blogroll

Bookmarks