 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / December 2004Securing files stored in virtual directory
Hi, I am a big problem here and would really appreciate if someone would shed some light on it. My ASP.NET application stores files in the virtual directory of the Web Server. These files are sent as DIME attachments in SOAP Messages and stored on server. Now I realized that these files can be simple viewed on the browser. Is there anyway of securing these files because they contain information not for public use, only for authenticated authorized use.. Can we define some policies on the server for that.. Please let me know, Thanks, Sumaira Ahmad > Hi, > > I am a big problem here and would really appreciate if someone would > shed some light on it. > My ASP.NET application stores files in the virtual directory of the > Web Server. These files are sent as DIME attachments in SOAP Messages [Softwaremaker] DIME Attachments are NOT inside SOAP Messages but outside of it. Thats why they are called attachments ;-) > and stored on server. Now I realized that these files can be simple > viewed on the browser. Is there anyway of securing these files because > they contain information not for public use, only for authenticated > authorized use.. Can we define some policies on the server for that.. [Softwaremaker] Because they are outside the context of the SOAP Messages, you have to use your own methods to secure it. > Please let me know, > Thanks, > Sumaira Ahmad Thanks for your reply..But can u tell me that if I have files stored in the virtual directory of my Web Server is there anyway of securing those files so that they cannot be viewed from the browser.. For instance if I am storing Job Appplicants resumes on the Web Server in its virtual direcrtory I do not want anybody else to view it except the Employer who has posted the job. but if i just give the entire path in the browser I am able to view those files which I basically want to secure..Any idea?? Please let me know.. Thanks, Sumaira > > Hi, > > [quoted text clipped - 17 lines] > > Thanks, > > Sumaira Ahmad It seems that we are talking about and referring to things that are worlds apart ;-) What you just described has nothing to do with Web Services at all. What you are referring to are just web server and network security settings.  SignatureThank you. Regards, Softwaremaker http://www.softwaremaker.net/blog ========================================= > Thanks for your reply..But can u tell me that if I have files stored > in the virtual directory of my Web Server is there anyway of securing [quoted text clipped - 29 lines] > > > Thanks, > > > Sumaira Ahmad Hi Sumaira, You can place all resumes in one directory on the server and protect it using Basic Authentication. This way the files will not be accessible by URL. In the web service you can check who has access to which files and take an appropriate action. Regards, Martin Kulov www.codeattest.com > Thanks for your reply..But can u tell me that if I have files stored > in the virtual directory of my Web Server is there anyway of securing [quoted text clipped - 30 lines] >>> Thanks, >>> Sumaira Ahmad Another thing you could do is to make the web service and the web server run under different identities, and then protect the directory using simple file security settings at the directory level. Hope this helps Dan Rogers Microsoft Corporation -------------------- From: sumaira.ahmad@gmail.com (Sumaira Ahmad) Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements Subject: Re: Securing files stored in virtual directory Date: 1 Dec 2004 08:42:11 -0800 Organization: http://groups.google.com Lines: 38 Message-ID: <1627c5ae.0412010842.46e65876@posting.google.com> References: <1627c5ae.0412010001.ce6c0a0@posting.google.com> <O6Yi6p51EHA.2788@TK2MSFTNGP15.phx.gbl> NNTP-Posting-Host: 67.169.120.54 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1101919331 21448 127.0.0.1 (1 Dec 2004 16:42:11 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Wed, 1 Dec 2004 16:42:11 +0000 (UTC) Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwi x.com!newsfeed.cwix.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news .glorb.com!postnews.google.com!not-for-mail Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:4970 X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements Thanks for your reply..But can u tell me that if I have files stored in the virtual directory of my Web Server is there anyway of securing those files so that they cannot be viewed from the browser.. For instance if I am storing Job Appplicants resumes on the Web Server in its virtual direcrtory I do not want anybody else to view it except the Employer who has posted the job. but if i just give the entire path in the browser I am able to view those files which I basically want to secure..Any idea?? Please let me know.. Thanks, Sumaira > > Hi, > > [quoted text clipped - 17 lines] > > Thanks, > > Sumaira Ahmad Hi Sumaira, MTOM will address this problem. Recently it has entered proposed recommendation state [1]. However it is not supported in the current release of WSE. You can either wait for it or implement your own way of securing the attachements. [1] http://www.gazitt.com/OhmBlog/permalink.aspx/d2f5a87b-c31e-48fd-8f92-5db8317b7445 Best, Martin Kulov www.codeattest.com > Hi, > [quoted text clipped - 9 lines] > Thanks, > Sumaira Ahmad Hi Thank you so much for all your responses.. I am really very new to .NET and to WSE and it is taking me time to understand how to understand your replies.:-).. Let me explain my scenario a little bit more.. I was implementing WS Secure conversation in an ASP.NET Application. I have anonynous access to the Web Service and in each method I check to see if the user has a valid security context token, and if yes he is allowed access to the web service. As a part of my project, i am storing Resumes of job applicants in the virtual directory of the web service running IIS. Within the application I am checking that if the Employer is authenticated and is authorized then he will be showed links to all the resumes such as http://localhost/Service/resume1.pdf. Later I realized that this link can be viewed directory from the browser too and that disturbed me..(little that I know of web services and WSE and ASP.NET).. All my users are authenticated against ADAM and authentication is checked in the CustomUsernameTokenManager.. Now can someone please how can I avoid this issue.If I try and resolve it the way told, I fear it may disrupt my application.. or maybe not..I am not sure.. Please tell me how to go about it..I sincerely request help, and a little detailed response to a newbie will be highly appreciated. I appreciate the time that you'll have already put in it and hope for some more to resolve this issue..which maybe really very minor and stupid for you'll.. Thanks, Sumaira Ahmad > Hi Sumaira, > [quoted text clipped - 19 lines] > > Thanks, > > Sumaira Ahmad Hi Sumaria, Rather than save them as files, you may want to save them as BLOB's in a database, key them, and then retrieve a list of keys based on the Employer's request. Then create a new web method, perhaps called something like "Fetch" and have that look up the key passed, pull back the BLOB and attach that blob to the response using DIME/Soap attachments. This would solve the HTTP access issue nicely and eliminate the inevitable day when your web server falls over because its disk is full. I hope this helps Dan Rogers Microsoft Corporation -------------------- From: sumaira.ahmad@gmail.com (Sumaira Ahmad) Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements Subject: Re: Securing files stored in virtual directory Date: 2 Dec 2004 10:06:41 -0800 Organization: http://groups.google.com Lines: 57 Message-ID: <1627c5ae.0412021006.2d95c58d@posting.google.com> References: <1627c5ae.0412010001.ce6c0a0@posting.google.com> <OFW#SK61EHA.3392@TK2MSFTNGP10.phx.gbl> NNTP-Posting-Host: 67.169.120.54 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1102010801 23520 127.0.0.1 (2 Dec 2004 18:06:41 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Thu, 2 Dec 2004 18:06:41 +0000 (UTC) Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s ul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!not-for-mail Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:4992 X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements Hi Thank you so much for all your responses.. I am really very new to .NET and to WSE and it is taking me time to understand how to understand your replies.:-).. Let me explain my scenario a little bit more.. I was implementing WS Secure conversation in an ASP.NET Application. I have anonynous access to the Web Service and in each method I check to see if the user has a valid security context token, and if yes he is allowed access to the web service. As a part of my project, i am storing Resumes of job applicants in the virtual directory of the web service running IIS. Within the application I am checking that if the Employer is authenticated and is authorized then he will be showed links to all the resumes such as http://localhost/Service/resume1.pdf. Later I realized that this link can be viewed directory from the browser too and that disturbed me..(little that I know of web services and WSE and ASP.NET).. All my users are authenticated against ADAM and authentication is checked in the CustomUsernameTokenManager.. Now can someone please how can I avoid this issue.If I try and resolve it the way told, I fear it may disrupt my application.. or maybe not..I am not sure.. Please tell me how to go about it..I sincerely request help, and a little detailed response to a newbie will be highly appreciated. I appreciate the time that you'll have already put in it and hope for some more to resolve this issue..which maybe really very minor and stupid for you'll.. Thanks, Sumaira Ahmad Martin Kulov <kulov@bezbokluk.abv.bg> wrote in message news:<OFW#SK61EHA.3392@TK2MSFTNGP10.phx.gbl>... > Hi Sumaira, > > MTOM will address this problem. Recently it has entered proposed recommendation state [1]. However it is not supported in the current release of WSE. You can either wait for it or implement your own way of securing the attachements. > [1] http://www.gazitt.com/OhmBlog/permalink.aspx/d2f5a87b-c31e-48fd-8f92-5db8317 b7445 > Best, > Martin Kulov [quoted text clipped - 13 lines] > > Thanks, > > Sumaira Ahmad Thank you so much for your detailed response.. But i have a few questions here: Can i attach more than one resume in the same response message??Associated with the key can be multiple resumes.. Also how will I link it to a hyperlink that I was initially using on the client and setting it to the path of the resume such as http://localhost/service1/xyz.doc I set the hyperlink to map to a database column that contained the resume path as shown above?? Now how can i view it on the client if I use this method?? So do I have to temporarily store it somewhere in a folder on the client and then view it?? Please let me know answers of these..If these are resolved I will go ahead and make changes.. thank you so much for you time and energy... Regards, Sumaira > Hi Sumaria, > [quoted text clipped - 100 lines] > > -- Hi Sumaria, I think that if you use SOAP with attachments, then yes, you can have multiple attachments. Once you are returning the data as an attachment, you no longer need to worry about the path names - since there would not be any path names associated with the initial upload, which would copy the local file (original) to an attachment, and the web service would receive the attachment, save it to a database row, generate the unique key, associate this key with the right metadata (your choice) and then return the key as the response from the save step. Then the request to retrieve the file would pass one or more keys, and create an attachment in the response message for each key for which the caller was authorized to get, and that exists still in the database. Does this help? Dan -------------------- From: sumaira.ahmad@gmail.com (Sumaira Ahmad) Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements Subject: Re: Securing files stored in virtual directory Date: 2 Dec 2004 18:47:26 -0800 Organization: http://groups.google.com Lines: 125 Message-ID: <1627c5ae.0412021847.5f507990@posting.google.com> References: <1627c5ae.0412010001.ce6c0a0@posting.google.com> <OFW#SK61EHA.3392@TK2MSFTNGP10.phx.gbl> <1627c5ae.0412021006.2d95c58d@posting.google.com> <t35o$bL2EHA.2732@cpmsftngxa10.phx.gbl> NNTP-Posting-Host: 67.169.120.54 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1102042047 25852 127.0.0.1 (3 Dec 2004 02:47:27 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Fri, 3 Dec 2004 02:47:27 +0000 (UTC) Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s ul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!not-for-mail Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:5017 X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements Thank you so much for your detailed response.. But i have a few questions here: Can i attach more than one resume in the same response message??Associated with the key can be multiple resumes.. Also how will I link it to a hyperlink that I was initially using on the client and setting it to the path of the resume such as http://localhost/service1/xyz.doc I set the hyperlink to map to a database column that contained the resume path as shown above?? Now how can i view it on the client if I use this method?? So do I have to temporarily store it somewhere in a folder on the client and then view it?? Please let me know answers of these..If these are resolved I will go ahead and make changes.. thank you so much for you time and energy... Regards, Sumaira danro@microsoft.com (Dan Rogers) wrote in message news:<t35o$bL2EHA.2732@cpmsftngxa10.phx.gbl>... > Hi Sumaria, > [quoted text clipped - 30 lines] > NNTP-Posting-Date: Thu, 2 Dec 2004 18:06:41 +0000 (UTC) > Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s > ul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!not-for-mail > Xref: cpmsftngxa10.phx.gbl [quoted text clipped - 43 lines] > > > > [1] http://www.gazitt.com/OhmBlog/permalink.aspx/d2f5a87b-c31e-48fd-8f92-5db8317 > b7445 > > [quoted text clipped - 17 lines] > > -- perfect Dan.. Thank you so much for your time..I will be implementing this..and hopefuly with your explanation i should not run into problems.. Thanks A lot, Sumaira > Hi Sumaria, > [quoted text clipped - 172 lines] > > -- Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.