I have a collection of Excel spreadsheets that I'd like to serve in my ASP.NET 5 webapp only to authorized users.
- Where should I store the files? I assume in wwwroot (e.g., wwwroot/files).
- If in wwwroot, how do I allow access only to authorized users? (I'd like to serve them up as a [Authorize] FileResult from the controller, but this still leaves the files open to direct access through a URL I believe.)
- How do I reference a location in wwwroot through my FileResult action in the controller?
Thanks much!
Yes, they should go in wwwroot
. Currently there is no built-in way to secure wwwroot
directories. But creating a middleware module to accomplish it is pretty straightforward. There is an easy to follow tutorial here.
If you're not familiar with developing middleware, I posted a GitHub project that shows how to create middleware in three easy steps. You can download the project here.
You don't need a controller to access static files.
in .net core create a dedicated directory www in same level as wwwroot, and use the following code:
public HomeController(IHostingEnvironment hostingEnvironment)
{
_hostingEnvironment = hostingEnvironment;
}
[Authorize(Roles = "SomeRole")]
public IActionResult Performance()
{
return PhysicalFile(Path.Combine(_hostingEnvironment.ContentRootPath,
"www", "MyStaticFile.pdf"), "application/pdf");
}
Based on the following answer (for .netCore): static file authorization
For authentication check while retrieving file:
app.UseStaticFiles(new StaticFileOptions()
{
OnPrepareResponse = (context) =>
{
if (!context.Context.User.Identity.IsAuthenticated && context.Context.Request.Path.StartsWithSegments("/excelfiles"))
{
throw new Exception("Not authenticated");
}
}
});
If you have a login form (Login.html), a simple solution is to redirect the user to the login page if user is not authenticated and he's requesting a protected resource (file under /protected folder). In Startup.cs, in Configure method insert this code:
app.Use(async (context, next) =>
{
if (!context.User.Identity.IsAuthenticated && context.Request.Path.StartsWithSegments("/protected"))
{
context.Response.Redirect("/Login.html");
return;
}
await next.Invoke();
});
This is a very simple example, but it can be changed to check for specific roles, and the code can be moved out of the Startup.cs for more flexibility.
app.Use(async (context, next) =>
{
if (!context.User.Identity.IsAuthenticated
&& context.Request.Path.StartsWithSegments("/excelfiles"))
{
throw new Exception("Not authenticated");
}
await next.Invoke();
});
来源:https://stackoverflow.com/questions/36775942/how-do-i-serve-static-files-only-to-authorized-users