OK, next question. As you might remember I've got my application help behind its login by having a handler for htm/l files. If I create anchor tags going straight to the mp4 files, this bypasses the login requirement. My first thought was to have a "showvideo.html" page where I pass the name of the mp4 file I want to play as part of the request. But it also occurs to me I could setup a custom handler in IIS for mp4 files, similar to what was done for html?
Your thoughts greatly appreciated.
TIA
Yes you can create a custom image handler in .NET that can serve the image for you and potentially deal with the authentication.
However, if you are accessing the image/video from within an authenticated context, that authentication should extend to the video/image in the same way as other resources. so I'm not sure what the issue is - it's just a file in a folder that should be able to inherit the security of the host page/site.
+++ Rick ---
What I've found is that if I am directly referring to an asset such as an image (www.website.com/images/any.jpg), it is not requiring auth. The same appears to be true when directly referring to an mp4. This is why I assume my options are to wrap in an html page as I already have a handler for that (which you helped me setup), or add a handler specifically for mp4s. Of course, this could also mean I have something screwy in my usersecurity implementation...
if you enforce security through the application then yes - static resources are not affected by that authentication, meaning you can just access them.
If you need to do this then can do this with a .NET module that can basically sit in between every request to check for authentication in some other way (typically a token passed in on the URL).
I've done this exact thing recently in a SPA application for a client, where we need to have access to user specific resources (images, signatures etc.). Instead of serving images directly we serve them indirectly through the module. Something like this:
https://site.com/imageresource?t=41322asdasd1231323123&r=/user/video.mp4
where t is a token that can be validated against the user's authentication and r is the resource to view. Note that typically you'll use a path specifier, but this is specifically not going to match an actual path - ie. /user/video.mp4 doesn't exist on the site, but rather it's an abstraction to some other location where the actual resources are stored.
FWIW, you can also use FoxPro and Web Connection for that processing URL - it doesn't have to be .NET, but I would prefer that in my applications as it would offload the image processing away from FoxPro's limited scalability of simultaneous requests, plus it'll be much more efficient natively inside of IIS which can just point at a different resource rather than loading into memory and serving from there.
+++ Rick ---
Thanks, Rick. I do want to continue to allow access to JPGs. What I want behind app security is the MP4s. As I'm embedding the anchors into my help it's probably a faster path for me to come up with a simple hmtl page to pass through the request as the process class will authenticate those requests.
In a similar scenario, I copied the mp4 into a real folder but with a random name. After a relatively short time this copied mp4 file was deleted. Not 100% secure, but it was more than enough in my case.
What you do in the handler that serves the images is up to you. So if you want to serve only .MP4 you can certainly do that. More specifically if you do it in Fox you have to call another URL (ie. ImageHandler.myapp). If you want to do this generically (ie. look at all .mp4 file or or all files in a specific folder etc.) then you have to build a module in .NET that lets you look at each file request (including static files) and inject the authentication in between.
The problem with the .NET module is how you get the FoxPro based authentication data. You need some shared data store that you can check for validating the user. Probably you'd need to:
- Read the Web Connection Session Cookie
- Use SQL or FoxPro data to lookup a key that matches the key
In the application I mentioned earlier we used a token passed on the query string. The token is passed by the client (which has an Auth id) app (actually automated in the headers since this is a SPA app), and the .NET code then validates the token against a SQL Server database. When a user logs in we create a token for that user in this database and remove it or time it out when they exit. If the token exists and is not expired - good to go and pass throguh the image. Otherwise throw a 401 Not Authorized
It sounds more complicated than it really is but basically if you pass off to .NET the key is that you have some way to let .NET validate the authentication and you need some way to make that authentication accessible in .NET (Session cookie probably works although I've not tried that).
+++ Rick ---