Re: Impersonation and clicking links

Tech-Archive recommends: Speed Up your PC by fixing your registry

you are confusing authentication and thread identity.

1) asp.net authentication is used to verify who the user is. anonymous must be turned off for there to be one.

2) identity is the actual nt account the request thread is using. the default is the asp.net service account. it can impersonate the client (which will be the iis account if anonymous) or be specified.


in general asp.net uses authentication to control access, not identity.


now to your problem. web sites are stateless. to do what you want you need to map pdf files to asp.net. then in session you need to remember that a user clicked the link, then verify that values set when a download is request (use a httpmodule to do this).


-- bruce (sqlwork.com)



Chris Herbert wrote:
Hi,

I have a web page (site.com\page1.asp) which contains a link to a document on the same server (site.com\Restricted\doc1.pdf). I want to ensure that the only way people can access the file is by clicking the link, and not by pasting the URL into the browser. My idea was to use impersonation on page1.asp and to restrict the folder "Restricted" to only allow access to the user I define in the web.config file.

My problem is that I need anyone to be able to see page1.asp, and therefore allowed anonymous access to it. I stuck a couple of labels on page1.asp just to see what's going on, and I see that the User.Identity is null, and that the Principal.WindowsIdentity is "SERVER\username" as specified in my web.config.

When I click the link on the page, I still get prompted for a username and password to access doc1.pdf. I am guessing this is because User.Identity is null, but if that is the case, what is the point of impersonation? If I put in the username and password I can access doc1.pdf, so I know it's not a permissions issue.

If anyone could offer me some insight I would appreciate it.

Thanks


.

Relevant Pages

  • Re: How to use WindowsPrincipal properly??
    ... the administrators in the computer e.g. win2k ... I am basically confused with the role base authentication and the ... impersonation, not sure what exactly is the difference. ... > string ONLY returns the string "Administrator", ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: System.IO.Directoryinfo throwing exception
    ... With basic authentication and impersonation you need to ... use a domain account which can delegate and you can check how to mark your ... ASP.NET MVP ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Access denied ( From one site to another, that is in another server)
    ... server. ... you can implement impersonation through code and revert ... This posting is provided "AS IS", with no warranties, and confers no rights. ... | Integrated Authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: localhost vs. macinename in URL (access denied)
    ... Impersonation with Integrated Authentication will work if you are accessing ... a resource on the same machine. ... being delegated to allow delegation or change the computer account to allow ...
    (microsoft.public.dotnet.security)
  • Re: IIS Folder and file security. Impersonation does not work.
    ... Custom URL navigation. ... First -- what you want to do does NOT need the impersonation DLL at all. ... Second -- you are muddling HTML and IIS concepts together and hoping for the ... Now, with IIS6, we have a custom authentication sample ISAPI that should ...
    (microsoft.public.inetserver.iis)