Impersonation and clicking links

[Chris Herbert]

Hi,

I have a web page (site.com\page1.asp) which contains a link to a document
on the same server (site.com\Restricted\doc1.pdf). I want to ensure that the
only way people can access the file is by clicking the link, and not by
pasting the URL into the browser. My idea was to use impersonation on
page1.asp and to restrict the folder "Restricted" to only allow access to
the user I define in the web.config file.

My problem is that I need anyone to be able to see page1.asp, and therefore
allowed anonymous access to it. I stuck a couple of labels on page1.asp just
to see what's going on, and I see that the User.Identity is null, and that
the Principal.WindowsIdentity is "SERVER\username" as specified in my
web.config.

When I click the link on the page, I still get prompted for a username and
password to access doc1.pdf. I am guessing this is because User.Identity is
null, but if that is the case, what is the point of impersonation? If I put
in the username and password I can access doc1.pdf, so I know it's not a
permissions issue.

If anyone could offer me some insight I would appreciate it.

Thanks

 

[bruce barker]

you are confusing authentication and thread identity.

1) asp.net authentication is used to verify who the user is. anonymous
must be turned off for there to be one.

2) identity is the actual nt account the request thread is using. the
default is the asp.net service account. it can impersonate the client
(which will be the iis account if anonymous) or be specified.


in general asp.net uses authentication to control access, not identity.


now to your problem. web sites are stateless. to do what you want you
need to map pdf files to asp.net. then in session you need to remember
that a user clicked the link, then verify that values set when a
download is request (use a httpmodule to do this).


-- bruce (sqlwork.com)