how to secure Excel file on webserver?

[Rich]

Hi,

I have a bunch of Excel reports that I would like to
display on my company's intranet. The reports contain
priviledged information, however. My plan was to have a
page with a dropdown box so someone could pick the report
they need to view. This page can be secured with a
session object, etc. But what is to keep an unauthorized
person from accessing a file by typing

http://serv1/excelrpt1.xls

Is there something I could configure in IIS? Set
permissions?

Thanks,
Rich

 

[Ray at]

Either keep the excel file out of the website and stream it back with this
method, http://www.aspfaq.com/2276, or use NT authentication on the
directory with the files and make people log in to get them.

Ray at work

 

[Rich]

Thank you for your response. I tried the code at

http://www.aspfaq.com/2276

It definitely seems interesting. However, for this line
of the code

adoStream.Type = 1

I think it probably needs to be something different
because for this line: FPath = "c:\" & fn I made
it "c:\excelrpt1.xls". This brought up unreadable text.
Rather than trying adoStream.Type = 2 or 3 ... can the
adoStream read in an xls file? If so do you now the type
number or where I could get info on that?

Thanks again for your reply. I guess there is always NT
authentication, but that seems harder to control.

Rich

 

[Ray at]

Thank you for your response. I tried the code at

http://www.aspfaq.com/2276

It definitely seems interesting. However, for this line
of the code

adoStream.Type = 1

Sorry, add this line to the top:
Response.ContentType ="application/vnd.ms-excel"

(There are two types:
adTypeBinary (1)
adTypeText (2)

Excel files should be returned binarily, I'd think.)

Thanks again for your reply. I guess there is always NT
authentication, but that seems harder to control.

I agree!

Ray at work

 

[Rich]

Thank you, again. Yes, that did the trick. Excel shows up
OK now. But as for the securing part (and I apologize for
my ignorance on this), here is the code that I tried, and
tried to make it not work (change the ServerVariables),
but that did not work:

<%
ref = lcase(Request.ServerVariables("HTTP_REFERER"))
'if instr(ref, lcase("myServer"))>0 then
if instr(ref, lcase("vtu"))>0 then
'fn = "okay.gif"
Response.ContentType ="application/vnd.ms-excel"
FPath = "C:\test1.xls"
Set adoStream = Server.CreateObject("ADODB.Stream")
adoStream.Open()
adoStream.Type = 1
adoStream.LoadFromFile(FPath)
Response.BinaryWrite adoStream.Read()
adoStream.Close: Set adoStream = Nothing
Response.End
else
'fn = "warning.gif"
response.write("not authorized")
end if

%>

May I ask how I could invoke the else part of the code
above? Thank you again for showing me how to use the
adoStream.

Rich

 

[Ray at]

Is this what you want to do? You're trying to prevent people from leaching
your Excel files? Or are you trying to protect them from unauthenticed
users or something? This all depends on what you're trying to protect the
files from.

Ray at work

 

[Rich]

OK. I think I'm getting this. I am supposed to call this
page from another page and set the ServerVariable at the
other page. I got thrown off by "YourDomainName" in the
example code". Silly me (I think .

 

[Rich]

Well, I am trying to prevent unauthorized people from
accessing the excel files through our intranet. What I am
thinking is that I could just have a plain htm file with a
submit form. The user submits their name (login ID, pwrd)
after selecting an excel file to view and calls the asp
which can open the excel file. The asp checks a database
for the name. If it finds the corresponding name,

name = request.Form("name")
....
If not isnull(check) Then
Response.ContenType = "application/vnd.ms-excel"
...
Else
Response.redirect(login.htm)
End If

something like this. Kinda basic. I suppose I could set
a session object, if the session object is not null, and
name is in db then... Truth is, I know how to do this in
jsp, still kinda new to asp and the web server at the
workplace happens to be IIS. So I need to learn asp.
Does the above plan look doable for a quicky (not real
sophisticated) page to view the excel reports with some
degree of security?

 

[Ray at]

If you can do this in jsp, you can do it in ASP. Understanding the concept
is all it takes. After that, it's just a matter of learning how to
code-monkey in a different language. But, yes, what I suggest is dropping
the Excel file idea for the time being, and just work on creating a page
that would determine whether or not a person is authorized to *do
something*. AFter you have that worked out, worrry about what that
something is, which would be the Excel streaming thing. A real basic
sample:




page1.asp:

<form method="post" action="page2.asp">
<input name="txtUsername">
<input name="txtPassword" type="password">
<input type="submit">


page2.asp:

<%
sUsername = Request.Form("txtUsername")
sPassword = Request.Form("txtPassword")
If sUsername = "Rich" and sPassword = "snakeline" Then
Session("LoggedIn") = True
Else
Response.Redirect "page1.asp"
%>

<a href="page3.asp">Click here to get the file.</a>


page3.asp:
<%
If Session("LoggedIn") Then
'''your code to return Excel file
Else
Response.Write "You're not authorized to this file."
End If
%>


Ray at work

 

[Rich]

Again, thank you very much for this example. It is
perfect. And I humbly confess that my proficiency in jsp
is actually not much higher than asp except that I have a
bunch of textbooks for jsp already (just haven't used jsp
in the work environment). I should take a class in asp,
but looking at aspx (too many classes to keep up - need to
take vb7, c#). Hope you don't mind me learning asp on the
fly .

Many thanks,
Rich