Working with Auhtentication and Authorization for imageresizer and IVirtualImageProvider
Question
I'm using the http://imageresizing.net/ component to display images on my webapplication.
My problem is that users need to be (forms)authenticated before retreiving an image although I allow anonymous users.
I created my own implementations for VirtualImageProvider and VirtualFile by implementing their Interfaces:
public class CustomVirtualImageProvider : IVirtualImageProvider, IPlugin
{
public bool FileExists(string virtualPath, NameValueCollection queryString)
{
return true;
}
public IVirtualFile GetFile(string virtualPath, NameValueCollection queryString)
{
var customVirtualFile = new CustomVirtualFile(virtualPath, queryString);
return customVirtualFile;
}
public IPlugin Install(Config c)
{
c.Plugins.add_plugin(this);
return this;
}
public bool Uninstall(Config c)
{
c.Plugins.remove_plugin(this);
return true;
}
}
and
public class CustomVirtualFile : IVirtualFile
{
private readonly string _virtualPath;
public CustomVirtualFile(string virtualPath, NameValueCollection query)
{
_virtualPath = virtualPath;
this.query = new ResizeSettings(query);
}
protected ResizeSettings query;
public System.IO.Stream Open()
{
var pathService = new ICustomImagePathService();
string path = pathService.GetPhysicalPathByVirtual(_virtualPath);
var fi = new FileInfo(path);
if (!fi.Exists)
{
return null;
}
CurrentLogger.Logger.Debug("Processing: " + _virtualPath);
var ms = new MemoryStream();
using (var file = new FileStream(path, FileMode.Open, FileAccess.Read))
{
var bytes = new byte[file.Length];
file.Read(bytes, 0, (int)file.Length);
ms.Write(bytes, 0, (int)file.Length);
}
ms.Seek(0, SeekOrigin.Begin);
return ms;
}
public string VirtualPath { get { return _virtualPath; } }
}
In the web.config I've setup the DiskCache plugin:
<diskcache dir="/ImageCache" />
This /ImageCache is a VirtualDirectory within IIS.
I'm using asp.net FormsAuthentication.
The requirement is users need to be authenticated when getting images from: https://myhost/i/userprofile/(guid) .
Un-authenticated users/requests are allowed to get images from: https://myhost/i/public/logos/(guid) .
To achieve this, I created these folders in my webapplication:
- /i
- /i/public
In these folders I've added a test default.aspx page and these web.config's:
/i
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
/i/public
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</configuration>
Testing with the webpages works:
/i/default.aspx --> redirects to login page. Good.
/i/public/default.aspx --> shows the page. Good.
/i/userprofile/d39a2fe0-2f1d-9750-e8d4-ebbe0f87d790.jpg?w=50&h=50 --> redirect to login page. Good.
/i/public/applogo/297/3347df8d-ef47-4280-ac2d-75a740b5898e.jpg?w=100&h=100 --> redirect to login page. Not good .
Can some one help me with this issue? I want this last image to be shown to unauthenticated users.
Many thanks in advance.
2 answers
solution1
0 2016-06-30 18:17:49
I think you may be using URL Authorization incorrectly here. I think "?" means any authenticated user, but "*" means all users, including those unauthenticated.
You may also need to use <location> elements to ensure your configuration is specific to certain URLs.
Have you considered using IIS URL Authorization instead of ASP.NET URL Authorization? https://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization
solution2
0 ACCPTED 2016-07-01 13:27:28
I've got it working by making the following changes:
1) Changing the Anonymous Authentication Credentials (within IIS) from IUSR to the Application Pool Identity
2) Setting runAllManagedModulesForAllRequests back to "true". During testing I tried disabling it.
All by using ASP.NET Url Authorization.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.