I have to permit access only to authenticated users.
Could someone help me in find a simple way to do that.
I've already seen Protected Media Access plugin, but i can't find any docs about using it other then a post in blog htat it's not so clear about using the package, and also not sure that it can do what i need.
If you are having problems specifically with the Protected Media (package), then post your issue(s) in their Q&A forum - I'm pretty sure Dirk will help you out.
As for other approaches. How are your users being authenticated? via members/member-groups? If so, I'd say again, invest some time into getting Protected Media working for you. As that's probably the best approach for it.
If you are using something like LDAP or NT authentication, you'd need to configure IIS to restrict anonymous access to the media folder?
Another way to look at this is "how will a user guess the URL to the media item?" As the folder number is based on the cmsPropertyData database table ID and the filename is whatever you call it. They could probably guess a filename, but matching that up with the property ID ... hmmm, well you know what I'm getting at.
Alternatively, don't link directly to the media items - use a proxy script that will take a media nodeId, then get the binary file and push it to the user to download?
As a possible solution, if you don't want to try and get the protected media working:
Save all the media that you want to be protected in a separate folder (using what is described here: http://umbraco.org/documentation/videos/for-developers/events/friendly-media-item-paths) to save a media file where you want it. (You could create a different media type or just add a true/false to the current media types to say whether it is protected in order to distinguish between normal media and protected media).
Oh, you may need to enable a wildcard mapping for ASP.NET in order for it to be picked up in the web.config though. So, rather than just .aspx documents getting handled by asp.net, you need to set it so that everything does and then you can handle the authorization in your web.config.
as i said before in the thread, ( i hope i don't misunderstood what you said, wildcard mapping is what you said about working with iis6 "... In IIS6 you can specify that the PDF extension will be handled by Asp.net. ...") , it will be a pain to do that in my case, it's not just a matter of pdf files.
I've just released a
media protect package, which allows you to protect media in the same
simple way as you protect content in Umbraco. No additional
configuration needed. Just install the package and it works.
disable anonymous access to media section
Hello and thanks in advice
how can i disable anonymous access to media folders and files for unauthenticated users?
By default if a user directly write http://domain/media/1234/filed.pdf now he can access the file.
I have to permit access only to authenticated users.
Could someone help me in find a simple way to do that.
I've already seen Protected Media Access plugin, but i can't find any docs about using it other then a post in blog htat it's not so clear about using the package, and also not sure that it can do what i need.
Fabio
If you are using IIS7 you could create a HttpHandler as described in this article.
Cheers,
Richard
Thanks Richard for your answer
we have to manage iis6 and iis7 ,
also i forgot to mention that we're using umbraco 4.0.4.2
Fabio
Hi Fabio,
If you are having problems specifically with the Protected Media (package), then post your issue(s) in their Q&A forum - I'm pretty sure Dirk will help you out.
As for other approaches. How are your users being authenticated? via members/member-groups? If so, I'd say again, invest some time into getting Protected Media working for you. As that's probably the best approach for it.
If you are using something like LDAP or NT authentication, you'd need to configure IIS to restrict anonymous access to the media folder?
Another way to look at this is "how will a user guess the URL to the media item?" As the folder number is based on the cmsPropertyData database table ID and the filename is whatever you call it. They could probably guess a filename, but matching that up with the property ID ... hmmm, well you know what I'm getting at.
Alternatively, don't link directly to the media items - use a proxy script that will take a media nodeId, then get the binary file and push it to the user to download?
There are many ways to tackle this. :-)
Cheers, Lee.
In IIS6 you have to make sure that the pdf extension is handled bij asp.net as described in this article
Cheers,
Richard
Hi Lee
thanks for your help.
I'll try to ping dirk for some info.
Thanks richard
Your approach is an option, but i'lll think will be a pain to manage file extensions, it's not just about pdf.
i'm searching a solution based on a folder protection approach, possibly not using iis directly.
Fabio
can it be done using an httphandler with path set to "media" and verb to set to GET ?
like a download counter
Fabio
In iis7 you can, in iis6 you can't because the request to the file will not go through the handler.
Cheers,
Richard
in iis6 can i set up an isapi extension to do the same job as httphendler do in iis7 ?
Fabio
No it's more easy. In IIS6 you can specify that the PDF extension will be handled by Asp.net. Then you can use an HttpHandler to handle the request.
I manage about 13 different formats under media.
So i'm searching a "controller" base on the path and not on extensions
obviulsy something like ...media/*.* is welcome.
Fabio
Maybe could be trivial,
but, what if a change, sadly via iis, the permission on the folder media at all?
I just need to prevent download items from anonymous users so on media folder i removed anonyous access in iis7
and in iis6 adding a verb to deny access to anonymous.
Could it work?
Fabio
Does someone seee any issue in the solution proposed in the above post ?
i found and issue removing anonymous access on media folder.
With anonymous access removed no more item in media folder is accessible.
So.. still in search for an idea/solution advice, etc,etc..
Fabio
Have a look at this package http://our.umbraco.org/projects/developer-tools/protected-media
Hi Masood
do you have any experience with protected media.?
Are you using it?
I've searched for some docs about installing, but no luck until now.
Fabio
As a possible solution, if you don't want to try and get the protected media working:
Save all the media that you want to be protected in a separate folder (using what is described here: http://umbraco.org/documentation/videos/for-developers/events/friendly-media-item-paths) to save a media file where you want it. (You could create a different media type or just add a true/false to the current media types to say whether it is protected in order to distinguish between normal media and protected media).
Then, you can use an httphandler for your pdfs and put an authorization in your config file for that new folder (as described here: http://www.chadscharf.com/index.php/2008/04/protecting-pdf-files-in-iis-6-using-forms-authentication/)
For example, if you use the folder 'protectedMedia':
<location path=”protectedMedia”><web.config><authorization><deny users=”?” /></authorization></web.config></location>
HI seth in one of the previous post i explained that in my scenario managing access by file extension is not so smooth.
So i'm searching for a folder based solution.
I don't need to manage complex permission just disable anonymous access.
looking web.config form authentication, it is set up to manage "/" as the root path.
so i should be able to set location rules like
<location path="media">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="umbraco">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
but it's not working.
Could someone tell me why.
Fabio
finally i made protect media almost working.
But the question still remain, is there any simple way to disable anonymous access on the media folder?
Fabio
Using the location in my web.config works for me:
<location path="media">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Make sure that it is not nested inside some other section but that it's direct parent is <configuration>
Oh, you may need to enable a wildcard mapping for ASP.NET in order for it to be picked up in the web.config though. So, rather than just .aspx documents getting handled by asp.net, you need to set it so that everything does and then you can handle the authorization in your web.config.
thanks Seth
but in my web.config i have this
<location path="media">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
they are not nested with anything else, i'v written those just before the </configuration>
froms auth setted up as follow
<authentication mode="Forms">
<forms name="yourAuthCookie" loginUrl="login.aspx" protection="All" path="/" />
</authentication>
<authorization>
<allow users="?" />
</authorization>
I'm sorry to wast your time , but what do you mean with "Oh, you may need to enable a wildcard mapping for ASP.NET......"
Fabio
Hi Fabio,
The wildcard mapping for ASP.NET. is the thin I've suggested you a few times on the first page of this thread
Cheers,
Richard
Thanks Richard for your patience,
as i said before in the thread, ( i hope i don't misunderstood what you said, wildcard mapping is what you said about working with iis6 "... In IIS6 you can specify that the PDF extension will be handled by Asp.net. ...") , it will be a pain to do that in my case, it's not just a matter of pdf files.
Fabio
hi to all do you thikn that my issue could have something to do with the iis7 conf in web.config ?
Also i'm running with umbraco 4.0.4.2
PS: iis6 will be used on another installation.
<!-- IIS 7 Integrated Mode Configuration -->
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<!-- Asp.net 3.5 Modules-->
<remove name="ScriptModule" />
<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<!-- UMBRACO modules-->
<add name="UrlRewriteModule" type="UrlRewritingNet.Web.UrlRewriteModule, UrlRewritingNet.UrlRewriter" />
<add name="umbracoRequestModule" type="umbraco.presentation.requestModule" />
<add name="viewstateMoverModule" type="umbraco.presentation.viewstateMoverModule" />
<add name="umbracoBaseRequestModule" type="umbraco.presentation.umbracobase.requestModule" />
<remove name="ScriptModule" />
<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<!--Designit-->
<add name="BounceHandling" type="Designit.Umb.Newsletter.Bll.BounceHandling" />
<add name="PerRequestLifestyle" type="Castle.MicroKernel.Lifestyle.PerWebRequestLifestyleModule, Castle.MicroKernel" />
</modules>
<handlers accessPolicy="Read, Write, Script, Execute">
<remove name="WebServiceHandlerFactory-Integrated" />
<remove name="ScriptHandlerFactory" />
<remove name="ScriptHandlerFactoryAppServices" />
<remove name="ScriptResource" />
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<remove name="Channels" />
<remove name="Channels_Word" />
<add verb="*" name="Channels" preCondition="integratedMode" path="umbraco/channels.aspx" type="umbraco.presentation.channels.api, umbraco" />
<add verb="*" name="Channels_Word" preCondition="integratedMode" path="umbraco/channels/word.aspx" type="umbraco.presentation.channels.wordApi, umbraco" />
</handlers>
</system.webServer>
Fabio
For wildcard mapping in IIS 6:
http://professionalaspnet.com/archive/2007/07/27/Configure-IIS-for-Wildcard-Extensions-in-ASP.NET.aspx
In IIS 7:
http://learn.iis.net/page.aspx/508/wildcard-script-mapping-and-iis-7-integrated-pipeline/
The most common reason people use wildcard mapping is to have seo friendly url such as:
http://domain.com/example
instead of
http://domain.com/example.aspx
but if you want: http://domain.com/media
to be picked up by ASP.NET (and its logic to make someone log in), you will need to tell IIS to use ASP.NET for all files.
thanks for the advice seth
tonight i will try
Fabio.
hi Seth
it's working as expected.
Also say sorry to RIchard, i didn't understand what you said.
Fabio
Just a post for everyone who is interested.
I've just released a media protect package, which allows you to protect media in the same simple way as you protect content in Umbraco. No additional configuration needed. Just install the package and it works.
Check out the projects page for more info and a fully functional trial download.
Cheers,
Richard
is working on a reply...