Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsRepositoryRepositoryProtecting Filese from Unauthorized AccessProtecting Filese from Unauthorized Access
Previous
 
Next
New Post
5/8/2006 6:48 PM
 
Carlos Isaza


Joined: 11/10/2005
Posts: 2

Hi Steve,

The whole Repository team is doing a great job! One of the most challenging things in .Net programming for web applications is setting up a secure place to store information in a way that only authorized users can get to restricted files. I have come across this situation in several projects and although you can set HTTPModules to try to block access to certain files, IIS will not run the code in the HTTP module when the ISAPI extension is not mapped to the aspnet_isapi.dll. This makes it risky to store files such as applications (.exe), pdf documents, htm documents and other documents for which the HTTP module's code will not run and as a result it would not be possible to control unauthorized access. I tried at some point a wildcard mapping to the aspnet_isapi.dll but this is definitely not the best approach as for one part it is difficult to implement for most web site hosting providers and it can be easily disabled without the web site owner's knowledge.

I notice that you have used an interresting approach by adding a GUID (known only to the Repository) to the file names, which makes it very unlikely for any user to "hit" the file unless the request is submitted using the Repository. However, the file is still "exposed". I have worked other projects using Microsoft Content Management Server (MCMS), which stores the web site's content in the SQL database. While this approach is cumbersome, and it implies the need to have a "Site Manager" which adds a lot of unnecesary complexity, I have come to think that a combination of the two models would yield a very high degree of security and a simpler implementation. When the user uploads a file, a "shortcut" would be placed in the file system, allowing the system to leverage on its benefits, and making it easy to add, move, delete, change file attributes, etc. However, the actual content of the file would be stored in the database (using a GUID) and secure from unauthorized access. A side benefit would be that it would be included automatically in database backup procedures.

Regards and I look forward to the 4.0 version of the Repository
 
New Post
5/8/2006 7:00 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

FYI: the next version of DNN supports has support added for secured files, both in the filesystem (the files have .resources appended to them, as this extension is automatically mapped to a 404 redirect in IIS) or in the database, as well as the traditional file storage. You can read all the list of enhancements @ http://dotnetnuke.com/Community/Blogs/tabid/825/EntryID/420/Default.aspx ,but the file management bits are below:

File Management

- Storage Location - new Folder level specification to identify whether files should be stored on the file system ( unsecure ), file system ( secure ), or database ( secure ).
- File Manager - refactored to use the database as the source for file/folder information rather than the physical file system. Improved user interface to accomodate new Storage Location options as well as provide Synchronization at the folder level.
- File/Folder Association - added referential integrity between the Files and Folders table
- File Server - HTTP Handler for serving files regardless of Storage Location. Takes advantage of Folder permissions to ensure secure access to files.

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
5/9/2006 6:47 PM
 
Carlos Isaza


Joined: 11/10/2005
Posts: 2

Thanks. This is a change that was needed. Will the Repository be modified to provide the same options as the new DNN version?
 
New Post
6/7/2006 3:31 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865
I may be speaking out of turn on this but I'd say that yes it will be modified. It may take a while after the next release of DNN before it's implemented though.
 
 Page 1 of 1
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsRepositoryRepositoryProtecting Filese from Unauthorized AccessProtecting Filese from Unauthorized Access


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out