How do I prevent direct access to documents in GlassFish? - .htaccess

I have a directory on my site with PDF files, each file is named using the ID of it's record (i.e. 12345.pdf, 67891.pdf).
I want to prevent a user from access PDF files directly by simply typing in the URL of a file. I want to force the user to use a page script to access the file (e.g. /getFile?12345, where the getFile script would retrieve the file and display).
I know using Apache you can modify the htaccess file to restrict direct access for certain file types, but I'm using GlassFish 3.1.2 and, being relatively new to it, I can't find anything about accomplishing something similar. Anybody know how to do this?

I'm dealing with exact issue right now and I have a solution that works (for me).
Step one confirm which you are using GlassFish on Apache or GlassFish on IIS.
Here is what worked for me. I have IIS redirect access to the directory that the files are in using web.config. There is a redirect on the directory and the files within:
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
<match url="(myPDFDirectory)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
</rule>
Or you can redirect them to your custom user capture stuff.
In htaccess it would be something like this (I am not good at Apache so you'll have to get a confirmation).
RewriteRule ^/myPDFDirectory/(.*)$ http://website.com/signUp.cfm [R=301,L]
I may have to review the first of the two examples but you get the point.
Now on to the file delivery.
I have seen this done the header content method. But unfortunately there is something going on with the server and it cannot access the directory with the PDF files. So I was able to access the files via HTTP. With the rewrite rule in place there no access 'directly' to the directory of files for outside users navigating around, however, when I call the the PDF to download through a HREF it works. I am using the new HTML 5 version of HREF with the download parameter. It forces download
Download Your Expense Report
There are other ways to feed the user his or her files for download like the cfheader/cfcontent method but I don't have directory access set up properly and the servers are ones I don't admin so I had to come up with something unconventional :/
I hope this is helpful...

I followed Avery Martell's advice and looked outside the web root. I ended up setting up an NFS appliance to store the files and setup appropriate permissions. After some additional research, this is a common best practice, especially for my needs which is to store documents > 1MB. At that size the benefits of storing in a db start to diminish, and storing them in a directory within the web root is unnecessarily complicated. I hope this helps those with similar needs.

Related

Redirect anything not already redirected with 301 on IIS7

We recently setup a new website on a new domain using WordPress, to replace our old website using flat files. Because of time constraints, we had little time to plan and ended up having someone setup the redirects in IIS Manager.
This means that almost every folder in the old website has something like the following for each page:
<location path="old-file.html">
<system.webServer>
<httpRedirect enabled="true" destination="http://new-domain.com/new-page/" exactDestination="true" childOnly="true" httpResponseStatus="Permanent" />
</system.webServer>
</location>
The problem is that this was a massive site with ~15k pages and only about 1k pages were manually redirected to new URIs. This means we have potentially 14k pages of legacy content (effectively dead URLs, some of it is so old) but we need to it redirect to the root of the new domain.
So almost every folder has a web.config with one instance of the codeblock above for each page redirected, but we need every page that wasn't redirected in this manner to redirect to a fixed location.
Manually configuring isn't an option because of the number of pages. I thought about using a tool to add a line of PHP to handle the redirect to every .php and .html file (PHP had to parse html files on this site for legacy content) but it's far from ideal.
Ideally, there'd be something I could put in the web.config which would say "For any request not already redirected via <location>, redirect it to "http:// domain.com". Even if this meant appending something to the web.config already in each folder, it would save days of work, say if no locations match, then redirect.
I've searched for having multiple locations or wildcards in <location> blocks but doesn't seem possible so I'm not sure what do do here—any help appreciated!
Suggestion: why not you redirect your 404 page to home page of any other you wish to.. if someone lands to any old page that no longer exists should go to 404 so redirect 404 to homepage, common practice in case of ecommerce sites they redirect their discontinued product page to search page. If that helps you can google "redirect 404 to homepage wordpress" there are lots of plugins that would do it, but as IIS you can simply config your web.config.
If the urls are now dead and you dont have replacement content to redirect them to, then the proper response would be to return a 404/410. Redirecting dead urls in bulk to the homepage will be seen by Google as a soft 404. https://support.google.com/webmasters/answer/181708?hl=en

DotNetNuke redirects when calling ImageResizer with fake extension

I've installed the ImageResizer libraries in my DotNetNuke environment as described at http://imageresizing.net/docs/workswith/dotnetnuke
But I'm getting redirected to the root of my portal as soon as I call the resizer extension
My resize settings in the web.config look exactly the same as the example in the installation guide
<resizer>
<pipeline fakeExtensions=".ashx" />
<plugins>
<add name="MvcRoutingShim" />
<add name="DiskCache" />
</plugins>
</resizer>
Looks good to me, but as soon as i try to call an image through the extension, I get redirected to the root of the site.
Call to:
http://localhost/Portal/0/Image.jpg.ashx
Redirects to:
http://localhost/
I can't figure out how to fix this. Is it a DotNetNuke or a IIS setting?
Things I already tried:
Checked the Configuration of the site and made sure the .ashx extension has the "Verify that file exists" checkbox unchecked.
Tried using an other extension
Tried adding a wildcard in IIS
checked resizer.debug.ashx,
2 Issues detected:
(Warning): To potentially see additional errors here, perform an image resize request.
Server(Warning): Microsoft-IIS/6.0 does not support Integrated mode or does not have it enabled.
You must append the .ashx extension to any image requests you wish to process.
It seems the handler is never called and the redirect takes place based on the fact that there's no physical file called Image.jpg.ashx.
Any ideas how to fix this?
It was a defective rewriterule in SiteUrls.config causing this problem:
<RewriterRule>
<LookFor>[^?]*/(\d+)/(.*)</LookFor>
<SendTo>~/Default.aspx?tabid=$1</SendTo>
</RewriterRule>

url rewrite and ARR across application pools

I am trying to figure out how to use url rewrite and Application Request Routing (ARR) to rewrite across different app pools on the same server.
In a simplified version, here is what I have: a REST service API is implemented with 2 virtual directories, Service.A and B, so virtual directory is part of url to access to access resources A and B
GET [https://]api.mycompany.com/Service.A/A
GET [https://]api.mycompany.com/Service.B/B
What I want to achieve is to have one single external url for the api without virtual directory names, and obviously not having to go through a code refactoring (to merge solution files and builds)
GET [https://]api.mycompany.com/A
GET [https://]api.mycompany.com/B
I implemented a url rewrite rule to match /A in path and replace with /Service.A/A, with some code like this in web.config at the default web site level, which works fine.
<rewrite>
<rule name="AddServicePrefix" enabled="true">
<match url="^A[/]?.*" />
<action type="Rewrite" url="/Service.A/{R:0}" />
</rule>
</rewrite>
The problem is that when I assign a different application pool to Service.A (from the app pool of default web site), this will fail immediately with a 403 error, but this is a requirement on our side to have applications/virtual directories running under different app pools to minimize impact when any pool fails or recycles.
I have done some research. This previous post below basically said "if you want to re-route request to another app-pool, you have to make a hop, whether that hop is over winsock or named pipe or whatever else" without much details. I also went through ARR guide but couldn't figure out exactly how to use ARR for this case.
http://forums.iis.net/t/1151510.aspx?Rewrite+across+application+pools+
Any help? Suggestions and comments whether I am in the right direction?
Thanks!
oh, forget to mention the environment: currently in dev environment, IIS 7.5 on Windows 7, Url Rewrite 2.0, and ARR 3.0, installed by Web Platform Installer.

404 error with IIS 7.0

I have a text file that I am trying to browse to using the browser http://files.mydomain.com/test.txt and I get a:
HTTP Error 404.0 - Not found
I double checked and the text file does exist. When I add a test.htm file, I have no issues.
Can someone help? Something tells me it's security issue.
Have you checked the following:
Your DNS 'A' record for 'files' is pointing to the correct IP address
If your server is using a shared IP address across multiple sites have you configured a HTTP host header?
Is there a mime type set for the .txt extension?
Have you made any changes to the Handler Mappings for the site? e.g. mapped the .htm extension to say the ASP ISAPI filter and accidentally removed the StaticFile handler?
Can you serve other static content such as .jpg, .gif, .pdf etc?
Kev has covered most of the possible problems, but for reference there is another possibility.
Confirm that in Request Filtering you either
have .txt as an Allowed extension, or
have Allow unlisted file name extensions ticked in Edit Request Filtering Settings
The same effect can be achieved with the following web.config section:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".txt" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
Also make sure also that the website is started. I was getting 404 and then realized that the Default Website was stopped because another website (Sharepoint) was using port 80. Sometimes the obvious is what gets you.
Add the MIME-Typ by going to ...
features / Mime-type
right click,
add,
put in the file extension ".txt"
and the mime-type "text/plain"
ok
et voila
I know this is an old post, but this might still help somebody out. I ran into this problem with my Asp.Net Core application. In my case it turned out that static files are served from a subdirectory called 'wwwroot' by default. Creating that subdirectory and moving the file in their solved it for me:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/index?view=aspnetcore-2.2&tabs=windows#web-root

How do I configure IIS to parse c# code in a .xml file?

I'm trying to configure IIS to parse a .xml file just like it would parse a .aspx file. The reason is I have some c# code in a <script> block that does scans some folders and then spits out dynamic xml.
Now normally I'd just do this in a .aspx file, and set the consuming code to grab the .aspx URL for the xml data. But, the consuming code is a legacy .swf file that is hardcoded to consume a .xml file of the same name, and we don't have access to the source .fla file.
I thought that this would be easy... but it's proving to be more difficult than I thought. I've gone into the application configuration in IIS and added the application extension for .xml to be the same as .aspx (Properties -> Home Directory tab -> Configuration), but it seems there's something I'm missing, as now trying to load the .xml file just does nothing, the browser comes back immediately with page can't be found.
Does anyone know how to get IIS and the .Net framework to parse my .xml file?
Once you add the configuration mapping in IIS, you also have to register the HttpHandler in your web.config (edit)**as well as the build provider(/edit)**:
<configuration><sytem.web>
<httpHandlers>
<add path="*.xml" verb="*" type="System.Web.UI.PageHandlerFactory" validate="true"/>
</httpHandlers>
<compilation>
<buildProviders>
<add extension=".xml" type="System.Web.Compilation.PageBuildProvider"/>
</buildProviders>
</compilation>
</sytem.web></configuration>
I think I redirect will be easier.

Resources