Re: Securing files stored in virtual directory

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Dan Rogers (danro_at_microsoft.com)
Date: 12/03/04 

Date: Fri, 03 Dec 2004 03:48:41 GMT

Hi Sumaria,

I think that if you use SOAP with attachments, then yes, you can have
multiple attachments. Once you are returning the data as an attachment,
you no longer need to worry about the path names - since there would not be
any path names associated with the initial upload, which would copy the
local file (original) to an attachment, and the web service would receive
the attachment, save it to a database row, generate the unique key,
associate this key with the right metadata (your choice) and then return
the key as the response from the save step.

Then the request to retrieve the file would pass one or more keys, and
create an attachment in the response message for each key for which the
caller was authorized to get, and that exists still in the database.

Does this help?

Dan
--------------------
From: sumaira.ahmad@gmail.com (Sumaira Ahmad)
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
Subject: Re: Securing files stored in virtual directory
Date: 2 Dec 2004 18:47:26 -0800
Organization: http://groups.google.com
Lines: 125
Message-ID: <1627c5ae.0412021847.5f507990@posting.google.com>
References: <1627c5ae.0412010001.ce6c0a0@posting.google.com>
<OFW#SK61EHA.3392@TK2MSFTNGP10.phx.gbl>
<1627c5ae.0412021006.2d95c58d@posting.google.com>
<t35o$bL2EHA.2732@cpmsftngxa10.phx.gbl>
NNTP-Posting-Host: 67.169.120.54
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1102042047 25852 127.0.0.1 (3 Dec 2004 02:47:27
GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Fri, 3 Dec 2004 02:47:27 +0000 (UTC)
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!not-for-mail
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:5017
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Thank you so much for your detailed response.. But i have a few
questions here:

Can i attach more than one resume in the same response
message??Associated with the key can be multiple resumes..
Also how will I link it to a hyperlink that I was initially using on
the client and setting it to the path of the resume such as
http://localhost/service1/xyz.doc
I set the hyperlink to map to a database column that contained the
resume path as shown above?? Now how can i view it on the client if I
use this method?? So do I have to temporarily store it somewhere in a
folder on the client and then view it??

Please let me know answers of these..If these are resolved I will go
ahead and make changes..
thank you so much for you time and energy...
Regards,
Sumaira

danro@microsoft.com (Dan Rogers) wrote in message
news:<t35o$bL2EHA.2732@cpmsftngxa10.phx.gbl>...
> Hi Sumaria,
>
> Rather than save them as files, you may want to save them as BLOB's in a
> database, key them, and then retrieve a list of keys based on the
> Employer's request. Then create a new web method, perhaps called
something
> like "Fetch" and have that look up the key passed, pull back the BLOB and
> attach that blob to the response using DIME/Soap attachments.
>
> This would solve the HTTP access issue nicely and eliminate the
inevitable
> day when your web server falls over because its disk is full.
>
> I hope this helps
>
> Dan Rogers
> Microsoft Corporation
>
> --------------------
> From: sumaira.ahmad@gmail.com (Sumaira Ahmad)
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> Subject: Re: Securing files stored in virtual directory
> Date: 2 Dec 2004 10:06:41 -0800
> Organization: http://groups.google.com
> Lines: 57
> Message-ID: <1627c5ae.0412021006.2d95c58d@posting.google.com>
> References: <1627c5ae.0412010001.ce6c0a0@posting.google.com>
> <OFW#SK61EHA.3392@TK2MSFTNGP10.phx.gbl>
> NNTP-Posting-Host: 67.169.120.54
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 8bit
> X-Trace: posting.google.com 1102010801 23520 127.0.0.1 (2 Dec 2004
18:06:41
> GMT)
> X-Complaints-To: groups-abuse@google.com
> NNTP-Posting-Date: Thu, 2 Dec 2004 18:06:41 +0000 (UTC)
> Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s
> ul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!not-for-mail
> Xref: cpmsftngxa10.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:4992
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> Hi Thank you so much for all your responses.. I am really very new to
> .NET and to WSE and it is taking me time to understand how to
> understand your replies.:-)..
>
> Let me explain my scenario a little bit more..
> I was implementing WS Secure conversation in an ASP.NET Application.
> I have anonynous access to the Web Service and in each method I check
> to see if the user has a valid security context token, and if yes he
> is allowed access to the web service.
> As a part of my project, i am storing Resumes of job applicants in the
> virtual directory of the web service running IIS. Within the
> application I am checking that if the Employer is authenticated and is
> authorized then he will be showed links to all the resumes such as
> http://localhost/Service/resume1.pdf.
> Later I realized that this link can be viewed directory from the
> browser too and that disturbed me..(little that I know of web services
> and WSE and ASP.NET).. All my users are authenticated against ADAM and
> authentication is checked in the CustomUsernameTokenManager..
>
> Now can someone please how can I avoid this issue.If I try and resolve
> it the way told, I fear it may disrupt my application.. or maybe
> not..I am not sure..
> Please tell me how to go about it..I sincerely request help, and a
> little detailed response to a newbie will be highly appreciated.
> I appreciate the time that you'll have already put in it and hope for
> some more to resolve this issue..which maybe really very minor and
> stupid for you'll..
>
> Thanks,
>
> Sumaira Ahmad
>
>
> Martin Kulov <kulov@bezbokluk.abv.bg> wrote in message
> news:<OFW#SK61EHA.3392@TK2MSFTNGP10.phx.gbl>...
> > Hi Sumaira,
> >
> > MTOM will address this problem. Recently it has entered proposed
> recommendation state [1]. However it is not supported in the current
> release of WSE. You can either wait for it or implement your own way of
> securing the attachements.
> >
> > [1]
>
http://www.gazitt.com/OhmBlog/permalink.aspx/d2f5a87b-c31e-48fd-8f92-5db8317
> b7445
> >
> > Best,
> > Martin Kulov
> > www.codeattest.com
> >
> > > Hi,
> > >
> > > I am a big problem here and would really appreciate if someone would
> > > shed some light on it.
> > > My ASP.NET application stores files in the virtual directory of the
> > > Web Server. These files are sent as DIME attachments in SOAP Messages
> > > and stored on server. Now I realized that these files can be simple
> > > viewed on the browser. Is there anyway of securing these files because
> > > they contain information not for public use, only for authenticated
> > > authorized use.. Can we define some policies on the server for that..
> > > Please let me know,
> > > Thanks,
> > > Sumaira Ahmad
>
> --

Relevant Pages

  • Re: Securing files stored in virtual directory
    ... perfect Dan.. ... > local file to an attachment, and the web service would receive ... > the key as the response from the save step. ... > caller was authorized to get, and that exists still in the database. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Web service was working, now not working
    ... Are you able to connect to the Analysis Server using the MDX Sample app? ... That would indicate that the database is still accessible. ... Perhaps the full response would ... > see how that would affect the web service though. ...
    (microsoft.public.data.xmlanalysis)
  • RE: Help consuming third part web services
    ... // The web.config defines the target URL for the web service. ... string xResp = x.AuthenticateUser; ... report the response to the caller. ... I don't think I have a Client Proxy such as is created with WSDL.EXE ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Cluster will not fail over.
    ... Below is the response from Microsoft as promised. ... They think a cluster does all the ... Database operations isn't magic, we need to quit treating it ...
    (microsoft.public.sqlserver.clustering)
  • Re: How can we stop IE from executing javascript on a back button click
    ... Hi Tom, ... If the data is invalid, build the next screen exactly as on initial "show" request, but including all the error messages set up in validation and the data you have from the POST (instead of data from the database read). ... When you send the response the "onload" event can open or close the fields as required - you have the data to set a parameter for this. ... You won't find that the show of saved data does not include the same character conversions as you have stored in your database. ...
    (comp.lang.javascript)