asp.net MVC secure root folder only for authorized users
I am having this small extranet service where users can log in, get all sorts of info and download few files.
Is it possible to secure root folder in MVC asp.net project? I am having a project where users have to log in before using any material. How ever if I use for example "/material" folder for every pdf, jpg, etc. files, other unauthorized users can see those files also.
For example everybody can see this file if they type www.example.com/material/pdf-file.pdf So I want only authorized / logged users to see this file. Is this possible?
It's possible to do that, but there are a lot ways to accomplish that.
A simplified scenario could be:
- Disable directory listing on IIS
- Create a custom "download wrapper" controller+action for the purpose of serving of those files.
- Then wherever you create Action links, generate them using a
HtmlHelperwhich would redirect the client to the "wrapper" controllers action. You can pass the filename in a parameter. - On the "wrapper" controller you could utize the
[Authorize]attribute or better yet, without using such attributes everywhere you could use FluentSecurity for handling the authorization.
After you create the "wrapper" controller your URL for getting a file could look like:
www.example.com/download/file/pdf-file.pdf
This example URL assumes controller name is 'download' and action name is 'file'.