I have a web site (IIS, C#.Net, MVC4) where users are (forms-)authenticated and they upload media files (mostly .mp4) and authorize set of users to play back on demand. I store these files on local storage.
I play these files using jwplayer back to the authorized users on demand.
jwplayer expects I pass the url directly for it to play, but I didn't want to expose a direct url.
I really have to restrict unauthorized access to these files as they are private files.
I tried implementing a controller method to handle https://mysite/Video/Watch?VideoId=xyz, and return FileStream of the actual file. It works on a browser directly. (Though not sure how efficient it is for large files.)
But the problem is, jwplayer looks for urls of pattern http(s)://domain/path/file.mp4[?parameter1=value1¶meter2=value2 and so on.]
When I give a url like https://mysite/Video/Watch?VideoId=xyz, it says 'No playable sources found' without even sending a HEAD request.
If I expose the urls directly, the files are available for anybody to download, which will break the privacy.
Worst case, I would at least want to avoid hot links which will live for ever.
I have also looked at www.jwplayer.com/blog/securing-your-content/ but did not find the solutions suitable.
My questions are,
Is there a way I can retain the pattern of the url http(s)://domain/path/file.mp4 and still control the access to the file?
If (1.) is not possible, how do I leverage the parameters that could be passed on the url. With the parameters, I can think of signed urls. What should I do on the server if I have to provide and handle/validate signed urls.
Just not to hinder the performance, after any validation, can I somehow get the iis to handle the filestream rather my code?
I implemented an HTTPModule to allow/block access to the file. This addresses my questions 1 & 3.
Code snippet below.
void context_PreRequestHandlerExecute(object sender, EventArgs e)
{
HttpApplication app = sender as HttpApplication;
//Get the file extension
string fileExt= Path.GetExtension(app.Request.Url.AbsolutePath);
//Check if the extension is mp4
bool requestForMP4 = fileExt.Equals(".mp4", StringComparison.InvariantCultureIgnoreCase);
//If the request is not for an mp4 file, we have nothing to do here
if (!requestForMP4)
return;
//Initially assume no access to media
bool allowAccessToMedia = false;
//....
// Logic to determine access
// If allowed set allowAccessToMedia = true
// otherwise, just return
//....
if(!allowAccessToMedia)
{
//Terminate the request with HTTP StatusCode 403.2 Forbidden: Read Access Forbidden
app.Response.StatusCode = (int)HttpStatusCode.Forbidden;
app.Response.SubStatusCode = 2;
app.CompleteRequest();
}
}
Related
I am trying to confirm that a folder has been uploaded to my Website folder so that it can be accessed by a Desktop application. I keep getting an error that states that there is a URI format error on the connection string. There is no shortage of 'solutions' on the general internet but I cannot get anything to work, even ones on this site (of which I am a member for many years). Forward slashes, back slashes, no slashes ... on and on. I am thoroughly confused. The following seems to be a simple and correct code, but it does not work either even though it is a direct copy of a solution that was offered as correct! The passed string 's' is the name of the folder I am trying to look for. A polite simple answer, perhaps with an example, is my desperate request. Thank You.
private bool CheckFiles(string s)
{
bool exists = System.IO.Directory.Exists(#"\\\\http:/www.myserver.com/sites/"+ s);
return exists;
}
System.IO.Directory.Exists checks for a directory in the file system. The address that is provided as a parameter is a http-URL that is not supported by file system access.
If you want to check for the presence of the folder on a webserver, you need to use a http client to "talk" to the server. Send a GET or HEAD request to the URL. If this returns a 200 (ok), the folder exists, if it returns 404 (not found), it doesn't.
As you are using .NET Framework 4.5 (or 4.0), you can use WebClient or better HttpClient for this. The following should give you an idea of how to check for the folder:
using (var http = new HttpClient())
{
using (var req = new HttpWebRequest(HttpMethod.Head, "https://..."))
{
using (var resp = http.Send(req))
{
// This is a very broad condition;
// you can also check the StatusCode property against HttpStatusCode.NotFound
return resp.IsSuccessStatusCode;
}
}
}
I have a problematic bug in a production system, which I simply can’t find. Sometimes the system produces an invalid link. When the end-user clicks it I get an error report from the system, and the end-user gets an error message. The URL’s that fail are like this:
http://www.mysite.com/somepath/undefined/
The “undefined” part is the problem, which I think is produced by JavaScript, but I like to make sure it’s not from the back-end.
Is there a way to save every response to a file if it contains the string “/undefined/” using global.asax?
I’ve tried this:
protected void Application_EndRequest(object sender, EventArgs e)
{
TextReader t = new StreamReader(Response.OutputStream);
string content = t.ReadToEnd();
// look for "/undefined/" and save to a temp file is the easy part after this
}
But is says that OutputStream is not readable.
I don’t know for certain which page/ajax request that produces the faulty link, so I need to inspect every response.
You cannot read the response stream, but you can add a response filter to the output stream, and get a copy of it.
There are several related artiles on this:
Logging raw HTTP request/response in ASP.NET MVC & IIS7 here at
SO
Capturing and Transforming ASP.NET Output with
Response.Filter by Rick Strahl.
Hope, this will help you.
Juest check the IIS log file. I tracks all request with urls
I had created one website which has two modules,
ADMIN
USER
They are hosted on different domains. Now when user open its domain suppose its abc.com and can register their company and also upload photo from there and uploaded photo will go in Company_Logo FOLDER.
Now suppose ADMIN's domain is xyz.com . now i want that ADMIN open its xyz.com and can see the photo uploaded from abc.com now i want like ADMIN means from xyz.com can change that uploaded photo to abc.com which is in Company_Logo FOLDER.
In short photo uploded from User side which is on abc.com and replace from ADMIN side which is on xyz.com so how can i do that
So you have two different sites, hosted on different domains and perhaps even different servers, and you want site A to notify site B when some file has been uploaded. You then want to be able to alter that file on site A from site B.
Seems to me you need to create some sort of API on site A, that lets users (admins) from site B check recently uploaded files and also lets them overwrite it.
Okay, this can be done but you'll need to use an HttpHandler. You can find a good example here, but I'll spell out the important parts. I cannot feasibly write the entire handler for you here.
First, let's build a class in the web project and call it ImageHandler ...
public class ImageHandler : IHttpHandler
{
}
... next let's implement the interface ...
public bool IsReusable
{
get { return false; }
}
public void ProcessRequest(HttpContext context)
{
// find out what we're trying to do first
string method = context.Request.HttpMethod;
switch (method)
{
case "GET":
// read the query string for the document name or ID
// read the file in from the shared folder
// write those bytes to the response, ensuring to set the Reponse.ContentType
// and also remember to issue Reponse.Clear()
break;
case "PUT":
// read the Headers from the Request to get the byte[] of the file to CREATE
// write those bytes to disk
// construct a 200 response
break;
case "POST":
// read the Headers from the Request to get the byte[] of the file to UPDATE
// write those bytes to disk
// construct a 200 response
break;
case "DELETE":
// read the Headers from the Request to get the byte[] of the file to DELETE
// write those bytes to disk
// construct a 200 response
break;
}
}
... finally we need to setup the handler in the web.config ...
<configuration>
<system.web>
<httpHandlers>
<!-- remember that you need to replace the {YourNamespace} with your fully qualified -->
<!-- namespace and you need to replace {YourAssemblyName} with your assembly name -->
<!-- EXCLUDING the .dll -->
<add verb="*" path="*/images/*" type="{YourNamespace}.ImageHandler, {YourAssemblyName}" />
</httpHandlers>
</system.web>
</configuration>
Finally, something you're also going to want to do is pass in some kind of session key that can be validated when you get into the handler because otherwise this is open to everbody. It wouldn't matter if you didn't need the PUT, POST and DELETE verbs, but you do.
Technically you wouldn't need to check the session key on GET if you didn't care that everybody could access the GET, but you gotta check it on the others.
You have two options.
If both of your sites are hosted in the same machine or a shared hosting environment, chances are there that your site can access the other directories. In that case you will be easily able to place the images in desired folder.
Now the second case, where one of your site does not have access to the folder of another site, - it is rather complicated. You will have to create a proxy where by the admin site will accept the image and in turn it will put it in the main site folder. I do not recommend this though.
You can do this in 2 steps:
1) Upload image to your server using standard File Upload mechanism
2) Use HttpWebRequest class to upload image to different server on server-side right after original upload.
Please refer to this article: Upload files with HTTPWebrequest (multipart/form-data)
see this for reference:
http://forums.asp.net/t/1726911.aspx/1
I have a script, which by using several querystring variables provides an image. I am also using URL rewriting within IIS 7.5.
So images have an URL like this:
http://mydomain/pictures/ajfhajkfhal/44/thumb.jpg
or
http://mydomain/pictures/ajfhajkfhal/44.jpg
This is rewritten to:
http://mydomain/Picture.aspx?group=ajfhajkfhal&id=44&thumb=thumb.jpg
or
http://mydomain/Picture.aspx?group=ajfhajkfhal&id=44
I added caching rules to IIS to cache JPG images when they are requested. This works with my images that are REAL images on the disk. When images are provided through the script, they are somehow always requested through the script, without being cached.
The images do not change that often, so if the cache at least is being kept for 30 minutes (or until file change) that would be best.
I am using .NET/C# 4.0 for my website. I tried setting several cache options in C#, but I cant seem to find how to cache these images (client-side), while my static images are cached properly.
EDIT I use the following options to cache the image on the client side, where 'fileName' is the physical filename of the image (on disk).
context.Response.AddFileDependency(fileName);
context.Response.Cache.SetETagFromFileDependencies();
context.Response.Cache.SetLastModifiedFromFileDependencies();
context.Response.Cache.SetCacheability(HttpCacheability.Public);
context.Response.Cache.SetExpires(DateTime.Now.AddTicks(600));
context.Response.Cache.SetMaxAge(new TimeSpan(0, 5, 0));
context.Response.Cache.SetSlidingExpiration(true);
context.Response.Cache.SetValidUntilExpires(true);
context.Response.ContentType = "image/jpg";
EDIT 2 Thanks for pointing that out, that was indeed a very stupid mistake ;). I changed it to 30 minutes from now (DateTime.Now.AddMinutes(30)).
But this doesnt solve the problem. I am really thinking the problem lies with Firefox. I use Firebug to track each request and somehow, I am thinking I am doing something fundamentally wrong. Normal images (which are cached and static) give back an response code "304 (Not Modified)", while my page always gives back a "200 (OK)".
alt text http://images.depl0y.com/capture.jpg
If what you mean by "script" is the code in your Picture.aspx, I should point out that C# is not a scripting language, so it is technically not a script.
You can use the Caching API provided by ASP.NET.
I assume you alread have a method which contains something like this. Here is how you can use the Caching API:
string fileName = ... // The name of your file
byte[] bytes = null;
if (HttpContext.Current.Cache[fileName] != null)
{
bytes = (byte[])HttpContext.Current.Cache[fileName];
}
else
{
bytes = ... // Retrieve your image's bytes
HttpContext.Current.Cache[fileName] = bytes; // Set the cache
}
// Send it to the client
Response.BinaryWrite(bytes);
Response.Flush();
Note that the keys you use in the cache must be unique to each cached item, so it might not be enough to just use the name of the file for this purpose.
EDIT:
If you want to enable caching the content on the client side, use the following:
Response.Cache.SetCacheability(HttpCacheability.Public);
You can experiment with the different HttpCacheability values. With this, you can specify how and where the content should be cached. (Eg. on the server, on proxies, and on the client)
This will make ASP.NET to send the client the caching rules with the appropriate HTTP headers.
This will not guarantee that the client will actually cache it (it depends on browser settings, for example), but it will tell the browser "You should cache this!"
The best practice would be to use caching on both the client and the server side.
EDIT 2:
The problem with your code is the SetExpires(DateTime.Now.AddTicks(600)). 600 ticks is only a fraction of a second... (1 second = 10000000 ticks)
Basically, the content gets cached but expires the moment it gets to the browser.
Try these:
context.Response.Cache.SetExpires(DateTime.Now.AddMinutes(5));
context.Response.Cache.SetMaxAge(TimeSpan.FromMinutes(5));
(The TimeSpan.FromMinutes is also more readable than new TimeSpan(...).)
I am developing a web app. which will generate a random link pointing to an image on my server. something like -http://dummy.com/Images/Image1.jpg?id=19234
Here this link can then be used by anybody on their site, now I just want to know how many sites are using my links, without anybody clicking on those links.
Can It be done using HTTPModule ??
Is this as simple as Googling? Search for
link:http://dummy.com/Images/Image1.jpg?id=19234
If you want to do this programmatically, you'll need to use the Google API.
The issue you'd have with an HttpHandler is that it will generally only kick in for requests that are being handled by the ASP.Net engine - the image requests will normally be handled by IIS without going through the handler.
Your web logs should be able to tell you who the referers for any given item on your servers are - assuming that you have them, and you hve something to process them - this will be more accurate than using Google.
Going forward, one of the ways I've done this in the past is to have the image generated by an HttpHandler (implementing IHttpHandler).
This will return the image as a stream (setting the content type to "image/jpeg"), and you can add further processing (such as logging where the request (referer) came from, etc).
The limitation I found with the HttpHandler, is that some services (PBBS for example) require an image link to have an image extension - I got around this by processing all 404's with an ASP.Net page that checks for the .jpg extension in the request. If it finds one, instead of returning the usual 404 page, it returns the requeted image. You'll need to configure the 404 handler in IIS though, as the web.config error handler only kicks in for ASP.Net requests (web services and .aspx type pages).
Example handler:
// Sample from the ASP.Net Personal Web Site Starter Kit
public class Handler : IHttpHandler
{
public bool IsReusable
{
get { return true; }
}
public void ProcessRequest(HttpContext context)
{
// Set up the response settings
context.Response.ContentType = "image/jpeg";
context.Response.Cache.SetCacheability(HttpCacheability.Public);
context.Response.BufferOutput = false;
// QueryString parameters are available here:
// context.Request.QueryString["QueryStringKey"]
// You can also access the Referrer object, and log the requests here.
Stream stream;
// Read your image into the stream, either from file system or DB
if (stream == null)
{
stream = PhotoManager.GetPhoto();
}
// Write image stream to the response stream
const int buffersize = 1024 * 16;
var buffer = new byte[buffersize];
int count = stream.Read(buffer, 0, buffersize);
while (count > 0)
{
context.Response.OutputStream.Write(buffer, 0, count);
count = stream.Read(buffer, 0, buffersize);
}
}
}
You can have similar code (or better yet, refactor the main image streaming code into a shared class) in the 404 page, that checks for the existence of the image extension, and renders the image out that way (again, setting the content type, etc).
Oddthinking is right. See http://code.google.com/intl/en/apis/ajaxsearch/documentation/#fonje_snippets or Google's API. They give examples for PHP and Java, but there are also AJAX frameworks for ASP.NET (http://www.asp.net/ajax/), and I'm sure C# as well.
You can change your image extension to an aspx extension (http://dummy.com/Images/Image1.aspx?id=19234), there is no problem in this, because this page the only thing it would do Response.OutputStream of the image. That is to say it would be similar to a jpg but with the advantage you can have some other code to process.
In this aspx (before outputing the image), we would ask about the http_referer and it would be stored in a data table if this registry does not exist.
This is really useful if for example you want to restrict the access to images. You could add some logic to forbid if they are not logged in.