Sunday, September 14, 2008

Document Security Over IIS Using Form Authentication

We all rely on asp.net authorization technique to protect our forms from anonymous access. But what about documents like pdf, images or other type of documents? By default, if anybody type the direct URL of a document in the browser’s address bar then IIS6 permit them to see the physical document without checking the authentication permission. Its a big threat for secured web-site. To solve the issue, we have to configure IIS such a way so that aspnet_isapi.dll take the control to show the document while request will come. Here is what it can be done:

1. Right click on the virtual directory which need to be secured and select property. From the opened dialogue box select Virtual Directory tab and click on configuration button. Now add a new configuration with the following settings

Executable: aspnet_isapi.dll location

Extension: document extension (like .pdf)

Verbs: GET

clip_image001

2. Add Location path to web.config file

<location path="temp-pdf">

    <system.web>

      <authorization>

        <deny users="?" />

      </authorization>

    </system.web>

  </location>

That’s it. You are done. Now if you want that the document will be handle by custom code for extra security then you can add a entry in the http handler in the following way:

1. Add a entry to httphandlers section to handle the file type for extra security in web.config file

 

<httpHandlers>

      <add verb="*" path="*.pdf" type="PdfHandler" validate="false"/>

</httpHandlers>

2. And create a custom class to App_Code following way:

Public Class PdfHandler

    Implements IHttpHandler

 

    Public Sub New()

    End Sub

    Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest

        Dim path As String = context.Request.PhysicalPath

        Dim name As String = path.Split("\"c)(path.Split("\"c).Length - 1)

        If Not String.IsNullOrEmpty(path) AndAlso path.ToLower().EndsWith(".pdf") Then

            context.Response.ClearHeaders()

            context.Response.ClearContent()

            context.Response.Clear()

 

            context.Response.Charset = Nothing

            context.Response.ContentType = "application/pdf"

            context.Response.AddHeader("Content-Type", "application/pdf")

            context.Response.AppendHeader("Content-Disposition", String.Format("inline;filename={0}", name))

            context.Response.WriteFile(path)

        Else

            Throw New FileNotFoundException("The page requested is invalid", path)

        End If

    End Sub

    Public ReadOnly Property IsReusable() As Boolean Implements IHttpHandler.IsReusable

        Get

            Return False

        End Get

    End Property

End Class

 

Note: You can replace the above code with your custom requirements.

Happy Programming!

Advantage and Disadvantage of Using XML and XSLT

After getting request from few of my blog readers, I am here to describe some major advantages and disadvantages of using XML and XSLT:

Advantages:

1. XSLT applies user defined transformations to an XML document and the output can be HTML, XML, or any other structured document. So it is easy to merge XML data into presentation.

2. XPath used by XSLT to locate elements/attribute within an XML document. So it is more convenient way to traverse an XML document rather than a traditional way, by using scripting language.

3. Being template based, XSLT is more resilient to changes in documents than low level DOM and SAX.

4. By separating data (XML document) from the presentation (XSLT), it is very easy to change the output format in any time easily without touching the code-behind.

5. Using XML and XSLT, the application UI script will look clean and will be easier to maintain

6. XSLT templates are based on XPath pattern which is very powerful in terms of performance to process the XML document

7. XSLT can be used as a validation language as it uses tree-pattern-matching approach.

8. XML is platform independent.

9. XML has column flexibility, so it can be update easily rather than a traditional table-row-column approach

10. XML Supports Unicode

11. XML has self-documenting capability

Disadvantages:

1. It is difficult to implement complicate business rules in XSLT

2. Changing variable value in looping, is difficult in XSLT

3. Using XSLT have performance penalty in some cases as its engine don’t optimize code by using caching technique like traditional compiler.

4. XML encourage non-relational data structure(de-normalized)

 

Happy Programming!