问题
I'm developing a site that has a few files on it that I only want to be downloadable if the users have sufficient access on my terms.
Basically, I have a page that has a download link on, but the download link will only be displayed and activated if the user has the correct roles and are associated with the correct properties in my database.
The problem I am facing is that I don't want users to be able to access the file directly, for example if they go to www.mysite.com/downloads/myfile.pdf - I don't want them to be able to get hold of the file although I do want to be able to allow them to download it once they have logged in and I have checked that they fulfil my custom rules and regulations.
I was going to do it like so, but I believe with the permissions deactivated I won't be able to do so.
System.IO.FileInfo file = new System.IO.FileInfo(path);
Response.Clear();
Response.AddHeader("Content-Disposition", "attachment; filename=" + file.Name);
Response.AddHeader("Content-Length", file.Length.ToString());
Response.ContentType = "application/octet-stream";
Response.WriteFile(file.FullName);
Response.End();
Is it possible to achieve my aims? Hopefully I've explained myself sufficiently.
Thanks
回答1:
I am sure you at the correct way.
Here is a simple example:
Response.ContentType = "text/txt";
Response.AppendHeader("Content-Disposition", "attachment; filename=" + "file.txt");
Response.Write(file.ToString());
Response.End();
---- EDIT ---- There are others good samples:
http://www.dotnetscraps.com/dotnetscraps/post/4-ways-to-send-a-PDF-file-to-the-IE-Client-in-ASPNET-20.aspx
<%@ Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
protected void Button1_Click(object sender, EventArgs e)
{
Response.ContentType = "application/pdf";
Response.Clear();
Response.TransmitFile("UML.pdf");
Response.End();
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
<title>Way 1</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Send PDF" /><br />
<br />
This page will refresh itself with a PDF file opened in the same instance of IE itself.
Users will not get prompted to Save/Open/Cancel the PDF file.</div>
</form>
</body>
</html>
回答2:
Yes--I've done the same thing in a large application by using an HTTP Module. See
- http://msdn.microsoft.com/en-us/magazine/cc301362.aspx
- http://www.codeproject.com/Articles/18887/Role-of-HTTP-Modules-in-NET-Security
It works by putting the download files into a separate directory (in your example, the "downloads" directory) that can be made to run as an application with its own web.config. Registering an HTTP module to run on that directory will cause all incoming requests to pass through some code module where you can check the appropriate permissions and prevent unauthorized access. The module serves as the gatekeeper mechanism that enforces your security even if they bypass your web application.
From a Microsoft article:
"Typical uses for HTTP modules include: Security. Because you can examine incoming requests, your HTTP module can perform custom authentication or other security checks before the requested page, XML Web service, or handler is called."
The nice thing about this approach is you have full control. You can redirect an unauthorized request to some web page to handle things gracefully and you can do custom logging of the attempt and do all sorts of other things. So this is a very flexible, customizable option.
回答3:
If you allow anonymous the user is guest and the ASP.NET runs under it's own permissions. This page identifies the minimum permissions. So ASP.NET can access the file and server it up. What I do is have a page that get passed the file ID and returns the file. But I use
Response.TransmitFile(filePath);
ASPmermissions
来源:https://stackoverflow.com/questions/10604083/preventing-direct-access-but-allowing-file-downloads-from-within-a-page