Out of the box, it looks like there is no extra security for the chart files in the WebCharts other than the filename, which I assume is a random GUID. Is that correct?
Secondly, is there any designated folder where temporary files should be placed because that folder doesn't have read permissions assigned to it? It looks like I should use the App_Data folder.
Web Folder Security Questions
-
Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: Web Folder Security Questions
Correct on webcharts. If you need additional security you could consider mapping PNG files to route through the ASP.NET engine, then putting a web.config and denying non-admin roles. In the future I hope to see us replace the charting engine with one that does not need to generate files, but finding a replacement that works in medium trust has been a challenge.
App_Data is a protected folder and won't be web browseable. It's a good place to write your data.
App_Data is a protected folder and won't be web browseable. It's a good place to write your data.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan
.comIf I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Re: Web Folder Security Questions
Thanks for the response Logan. I don't need the extra security for the webcharts. I'll put my files under App_Data as you suggested.
If you did need to improve the security for webcharts, I think you can build a httphandler to stream server files as though they were png files but name them .resources so .NET won't serve them up. But I haven't done it myself.
If you did need to improve the security for webcharts, I think you can build a httphandler to stream server files as though they were png files but name them .resources so .NET won't serve them up. But I haven't done it myself.
-
Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: Web Folder Security Questions
True... or perhaps write the PNG files inside of App_Data, then create an asxh handler that would be referenced by the image tag. Then we could load and stream the data out, while taking advantage of ASPNET roles.
But... it seems low risk as the file names are GUID and temporary in nature. I would like to use a different charting component. We have evaluated two commercial products but always run against the medium trust issue. Microsoft chart controls will probably be the replacement down the road since it will be native to .NET and not require external assemblies or have trust problems.
But... it seems low risk as the file names are GUID and temporary in nature. I would like to use a different charting component. We have evaluated two commercial products but always run against the medium trust issue. Microsoft chart controls will probably be the replacement down the road since it will be native to .NET and not require external assemblies or have trust problems.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan
.comIf I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.