FileServerMiddleware with credentials?

Question

We have the requirement in our enterprise environment to serve static file content from a network share in our ASP.NET Core application. Basically, it gets served under some sub path /content. For this, we have the following code, which works fine:

app.UseFileServer(new FileServerOptions
{
    FileProvider = new PhysicalFileProvider("//our/network/share"),
    RequestPath = new PathString("/content"),
    EnableDirectoryBrowsing = false
});

Now in production the system user under whose context the web application is hosted has no access to the file share. Thus, we have to use a certain technical domain user to access the files and for this we have to provide credentials (username/password) of this system user to the file server.

Unfortunately, we did not find an option to provide credentials to UseFileServer(). Is it anyway possible?

Answer 1

According to the documentation for UseFileServer it combines the functionality of among other things UseStaticFiles. According to the middleware documentation, the static file module provides no auth checks. They do give you some options on how to accomplish file serving with authorization (again from the middleware docs):

If you want to serve files based on authorization:

1. Store them outside of wwwroot and any directory accessible to the static file middleware.
2. Deliver them through a controller action, returning a FileResult where authorization is applied.

Not sure how you are going to pass the username/password to the server. If you plan to use something like basic authentication (and don't want to use the methods outlined above), you can probably modify the headers (when serving the static files) to accomplish the desired effect, but that is a workaround and probably not a good idea.

Answer 2

I would use middleware to protect contents. I will try to write simple example(I assumed you are using any authentication middleware to authenticate your users and my example is for static files).

-- Below code is untested and is just for an illustration--

First, you need to create a middleware something like this:

public class ProtectFileMiddleware
{
    private readonly RequestDelegate _next;

    public ProtectFileMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext context)
    {
        if (context.Request.Path.StartsWithSegments("/protected"))
        {
            if (!context.User.IsInRole("Admin"))
            {
                await context.Authentication.ChallengeAsync();
                return;
            }
        }
        await _next(context);

    }
}

and use this middleware like below:

    public void Configure(IApplicationBuilder app)
    {
        app.Use(?)Authentication();// it depends on your design
        app.UseMiddleware<ProtectFileMiddleware>();
        app.UseStaticFiles();

        // other
    }

Result: if you try to access /protected url as an admin user, you will get expected response otherwise you will take a 401/403 response.

For more flexible way take a look at http://odetocode.com/blogs/scott/archive/2015/10/06/authorization-policies-and-middleware-in-asp-net-5.aspx

Answer 3

Yeah, those answers assume you're asking about client credentials. What you really need is a IFileProvider implementation that has credentials to access a specific resource. I don't know that .NET is very good at accessing files as different users, it usually relies on impersonation. See How to present credentials in order to open file?