An
alternate approach could be saving media files in database, applying
permissions to these files for related user/member groups, and on
download checking if user has access to this download!
Yes, solution is currently available but no installer package yet (as media types cannot be included in a package), and no installation documentation yet... but you may contact me (dirk at netaddicts dot be) and as I have a demo site available as well as install info.
I've not looked at Dirk's solution, and it may work in the same way, but an option is not to link to the image file directly, but to link to a download page and pass the ID of the image in the querystring, assuming it's in the media section. The download page woudl check the users authentication and authorisation settings and then pass the file on, or not, as appropriate.
I've done this, as a proof of concept, to stop the browser from displaying images that have been linked to and instead to prompt the user to save the image, by changing the http headers, to protect the image from unaithorised download, and also log which images are downloaded and by whom.
You can find a thread about this at stackoverflow that's also referenced from another topic here about downloading images
you are right about the image being able to be downloaded directly, but only if the following conditions are met:
The user has to know the name of the file he wants to donwload and this isn't shown unless it's already downloaded
He has a note of the ID of the item
He knows that the site is running Umbraco and how to reconstruct the URL to the image
The name of the file isn't shown unless you successfully download it in which case you have already logged in and have access to the file. The path to the image is never shown, but it does have the weakness that it's security by obfuscation, which obviously isn't suitable for every case, but quick and easy to setup where the maximum security isn't required, otherwise I would keep the items in a directory outside the root of the website itself.
Finally you can just let IIS stop serving files from the /media folders if you're streaming it via a proxy page. That way the anonymous user won't have read access to /media but the application pool user will (ie. asp.net reading and streaming the file).
I've just released a
media protect package, which allows you to protect media in the same
simple way as you protect content in Umbraco. No additional
configuration needed. Just install the package and it works.
I have installed the trail version media protect in my local umbraco set up. it is working fine to me. But in other site i have installed media protect and also added the .lic file. when i gave public access to media file , i have given login page , but it is not working to me. It is showing file instead of showing login page. can please help me why it is not applied.
Make sure the site is running in integrated mode and the HTTPModule is configured in the web.config. Check the trouble shooting are of the user manual. Then all should be fine.
I have checked everything but still it is not applied. while install i haven't got the default member group and types. this is there any problem with installation
Protected Media
Is there any solution available for protecting media files from unauthorized downloading?
I know Dirk is wokring on a project http://our.umbraco.org/projects/protected-media but is there any solution currently available?
An alternate approach could be saving media files in database, applying permissions to these files for related user/member groups, and on download checking if user has access to this download!
Masood,
Yes, solution is currently available but no installer package yet (as media types cannot be included in a package), and no installation documentation yet... but you may contact me (dirk at netaddicts dot be) and as I have a demo site available as well as install info.
Cheers,
/Dirk
Thanks Dirk,
Can you please send to me at GreatLogics at yahoo dot com
TA
Masood
Masood,
I've not looked at Dirk's solution, and it may work in the same way, but an option is not to link to the image file directly, but to link to a download page and pass the ID of the image in the querystring, assuming it's in the media section. The download page woudl check the users authentication and authorisation settings and then pass the file on, or not, as appropriate.
I've done this, as a proof of concept, to stop the browser from displaying images that have been linked to and instead to prompt the user to save the image, by changing the http headers, to protect the image from unaithorised download, and also log which images are downloaded and by whom.
You can find a thread about this at stackoverflow that's also referenced from another topic here about downloading images
http://stackoverflow.com/questions/336345/c-asp-net-3-5-content-disposition-file-download-problems
The original topic about downloading PDFs
http://our.umbraco.org/forum/developers/xslt/2900-File-download-dailog-when-pdfdoc-links-are-clicked-
HTH
Tom
Thanks Tom sounds like a good idea!
Masood, I've sent a mail with binaries and install instructions and link to demo site.
Cheers,
/Dirk
Quixltd !
As far as i can see with your suggestion, the media files are still in the Media folder and therefore not protected from direct download.
You can get to a file if you know it's URL like: http://www.name.com/media/2399/filename.jpg
Someone with acces to the file cane give someone without acces this URL, and they can get to the file without going through the download page.
This might or might not be a problem depending on the security needed for your solution.
Dirks solution solves that problem !!
Mikael
Mikael,
you are right about the image being able to be downloaded directly, but only if the following conditions are met:
The name of the file isn't shown unless you successfully download it in which case you have already logged in and have access to the file. The path to the image is never shown, but it does have the weakness that it's security by obfuscation, which obviously isn't suitable for every case, but quick and easy to setup where the maximum security isn't required, otherwise I would keep the items in a directory outside the root of the website itself.
Cheers
Tom
Finally you can just let IIS stop serving files from the /media folders if you're streaming it via a proxy page. That way the anonymous user won't have read access to /media but the application pool user will (ie. asp.net reading and streaming the file).
Just a post for everyone who is interested.
I've just released a media protect package, which allows you to protect media in the same simple way as you protect content in Umbraco. No additional configuration needed. Just install the package and it works.
Check out the projects page for more info and a fully functional trial download.
Cheers,
Richard
hi
I have installed the trail version media protect in my local umbraco set up. it is working fine to me. But in other site i have installed media protect and also added the .lic file. when i gave public access to media file , i have given login page , but it is not working to me. It is showing file instead of showing login page. can please help me why it is not applied.
Hi,
Make sure the site is running in integrated mode and the HTTPModule is configured in the web.config. Check the trouble shooting are of the user manual. Then all should be fine.
Best,
Richard
Hi,
I have checked everything but still it is not applied. while install i haven't got the default member group and types. this is there any problem with installation
What version of IIS are you running?
IIS 7 version
Can you check the response of the following url on that box, should say "true" in any other case the HTTPModule is not configured correctly
/umbraco/plugins/mediaprotect/mediaprotect.txt
the textfile contains the data as "This is a markerfile don't delete". should I need to change the text
No this indicates that your HTTPModule is not running.
My assumption is that you are running IIS7 in classic mode, or that the HTTPModule is not configured.
double check chapter 6 and 7
http://soetemansoftware.nl/media/9542/mediaprotect-manual.pdf
Best,
Richard
My Http module is missing this lines
add name="MediaProtectModule" type="MediaProtect.HttpModules.MediaProtectModule, MediaProtect" />
should I place this and my umbraco application pool is not in classic it has just the application name.
please suggest me.
I have change the httpmodule and also the Media.config file but still showing the file it is not protected. please suggest
Changing the media.config file doesn't change it. Can you send the web.config file to [email protected]? Then I will have a look.
Thanks,
Richard
Turned out the module was configured in the wrong section.
is working on a reply...