WebSite security

[Islay Rodriguez Jr.]

I would like to be able to dynamically setup “file security†for the folders
on the file system of my website (hosting site). The website will store
product information for vendors that needs to be secure from the other
vendors (or anyone else) on the same website. Each vendor will have the
authority to allow access to his information to potential customers.

Is there a way, from ASP.NET (VB.NET), to setup up secured groups which will
have exclusive access to certain to areas of the file system? Each group will
require an administrator (the Vendor) for that group, with the ability to
add/delete members to his group, along with other administrative tasks.

Can anyone point me in the right direction please?

I’m not sure which forum this question should go to.

 

[Gregory A. Beamer]

I would like to be able to dynamically setup “file security†for
the folders on the file system of my website (hosting site). The
website will store product information for vendors that needs to be
secure from the other vendors (or anyone else) on the same website.
Each vendor will have the authority to allow access to his information
to potential customers.

Trust me that you do not want file level security for an Internet site
(see below).

Is there a way, from ASP.NET (VB.NET), to setup up secured groups
which will have exclusive access to certain to areas of the file
system? Each group will require an administrator (the Vendor) for that
group, with the ability to add/delete members to his group, along with
other administrative tasks.

On the file system, you can do it in a granular way with windows logons,
but that will not work if you want customers to see the information when
hte vendor allows it, as it is a maintenance nightmare to control logon
access for millions of people (potentially). Once you get past a few
thousand, you end up with a full time networking staff to manage people.

But, you can set up your own access rules if you will store the
information in a database. You can then set up the information so it can
only be viewed by a person in the admin role of the vendor connected to
the data until the vendor says it can be accessed by others.

Can anyone point me in the right direction please?

I would look at the Membership bits in ASP.NET. You should consider a
custom provider if it does not fit all your needs.

The next thing is a bit of database design. You will need a design that
allows data access rules. You will then have to set up your
authentication and authorization bits to respect what the database says.

The route you would like to go is fine if you can create windows logins
for all of the users. As you mention the word "customers", it becomes
completely unmanageable as windows logins.

peace and grace,

 

[Islay Rodriguez Jr.]

Thanks for the Quick response.

I'm currently using ASP Membership roles on my site and I'm using an SQL
server 2005 database.However the data I'm trying to protect is on the domain
host file system. I use Membership roles to limit legitimate access
requests (through web pages) to the file system, however since I had to allow
write access to some roles (for file creation/ deletion of files), I don't
know how to stop unauthoized users/intruders from viewing/modify those files
and directories.

Using the combination of "CompanyID" and the membership roles, the VB.NET
"code behind" restricts users from access to other vendors data directories,
however an unauthorized intruder would have not those resrictions.

I known that on a normal windows logon, the user has certain "access
rights"/priviliges that restrict his ability to perform certain tasks or
access certain directories. The logged on user also belongs to secuirty
groups ("admin","Guest", "User", etc.) that define what he is able to do. Is
there a way to programatically provide this functionality to a WebSite and
the hosting file system ?

For instance when Vendor "x" logs on to the website, his Windows security
group would be changed to group "x" and Vendor "y"'ssecurity group would be
changed to group "y". Aslo the subdirectories for these vendors,when
created, would belong to the appropriate group. These priviliges/"access
rights" need to be changed using the VB.Net "code behind" software.

Does this functionality exist with .NET?

 

[Gregory A. Beamer]

Thanks for the Quick response.

I'm currently using ASP Membership roles on my site and I'm using an
SQL server 2005 database.However the data I'm trying to protect is on
the domain host file system. I use Membership roles to limit
legitimate access requests (through web pages) to the file system,
however since I had to allow write access to some roles (for file
creation/ deletion of files), I don't know how to stop unauthoized
users/intruders from viewing/modify those files and directories.

Using the combination of "CompanyID" and the membership roles, the
VB.NET "code behind" restricts users from access to other vendors
data directories, however an unauthorized intruder would have not
those resrictions.

If you make it so the files are always served up by a page, rather than
by http://mysite/hackme.doc, would that solve the problem?

http://mysite/trytohack.aspx?doc=hackme

Sorry, you don't have access.

I known that on a normal windows logon, the user has certain "access
rights"/priviliges that restrict his ability to perform certain tasks
or access certain directories. The logged on user also belongs to
secuirty groups ("admin","Guest", "User", etc.) that define what he is
able to do. Is there a way to programatically provide this
functionality to a WebSite and the hosting file system ?

No, because users, by default, all map to one account. you can make them
map to windows accounts, but there is no automagic tool (except perhaps
Commerce server) to create the windows accounts for you, so it is a
maintenance nightmare.

For instance when Vendor "x" logs on to the website, his Windows
security group would be changed to group "x" and Vendor "y"'ssecurity
group would be changed to group "y". Aslo the subdirectories for
these vendors,when created, would belong to the appropriate group.
These priviliges/"access rights" need to be changed using the VB.Net
"code behind" software.

Does this functionality exist with .NET?

You can create rules and use the membership bits, but to go about this
with directory security gets pretty sticky. Let's take just two vendors.

Vendor 1 has 200 customers, vendor2 has 300.

SO, now you set up directory security and file security. Initially,
vendor1 is the only one with directory access to his directory and
vendor2 with his. They both allow fileX in their directory to be served
up by their customers.

So, you now have to create windows logons for 500 additional people and
somehow map them to users.

This can be done with Commerce server quite easily, but I am not sure it
is still supported. And it does a strange proxy kind of thing.

A better solution would be to store the data in a database. A secondary
solution is have the actual file stored in the database. If you are
using SQL 2008, you can store it on the local drive with access from SQL
only, if that is what you desire. Then you can restrict based on roles.

As for a built in .NET secure files and directories and map to user
accounts in membership? There is none.

The short story is you are going to have to compromise somewhere. Either
compromise how you serve the doc, where you store the doc or work with
something like Commerce Server to serve up.

The only other way I can think of is SharePoint and using its CMS
features, but this means 100% of the customers have to be registered
users.

Peace and Grace,

 

[Islay Rodriguez Jr.]

I appreciate the time that you have taken to respond to my questions. I'm new
to website programming so there is allot that I don't understand. From what
you describing to me, I can't get different access rights for different user,
so I'll drop that idea.

You suggested the following:

If you make it so the files are always served up by a page, rather than

by http://mysite/hackme.doc, would that solve the problem?

http://mysite/trytohack.aspx?doc=hackme

Sorry, you don't have access.

I'm assuming "hackme.doc" is the document the user is trying to display. How
does "trytohack.aspx" display "hackme.doc" ?

Again thanks for your help.

Islay

 

[Gregory A. Beamer]

I appreciate the time that you have taken to respond to my questions.
I'm new to website programming so there is allot that I don't
understand. From what you describing to me, I can't get different
access rights for different user, so I'll drop that idea.

You suggested the following:

If you make it so the files are always served up by a page, rather
than

I'm assuming "hackme.doc" is the document the user is trying to
display. How does "trytohack.aspx" display "hackme.doc" ?

Again thanks for your help.

One way to do this is to have the page take the id and serve the page up.
Here are examples (in VB) of serving up a page:

http://snippets.dzone.com/posts/show/3510
http://aspalliance.com/259

I will have to find a C# example. The biggest takeaways are setting the
type must be set (Response.ContentType) and then you output the document in
the response stream (in the second example, the author is using WriteFile).

If these don't quite fit, there are people who use something like this:

http://mysite/imageProcessor.aspx?id=1

to serve up images. The process is identical, except the MIME type
(Response.ContentType) changes. You are still writing bytes to the reponse
stream so the user can view them as a document.

Peace and Grace,

 

[Islay Rodriguez Jr.]

Thanks,

This sounds like what I need.

I'm going to try to implement this, but It will take me alittle time to
assimilate this new concept.

I may have further questions later.

Thanks,