5
<img src="~/static/img1.jpg" />

I used this article to enable static files and these code doesn't work.

[Authorize]
public IActionResult BannerImage()
{
     var file = Path.Combine(Directory.GetCurrentDirectory(), 
                        "MyStaticFiles", "images", "banner1.svg");

      return PhysicalFile(file, "image/svg+xml");
 }

Also another article didn't help. But I don't know how to make images available only to authorized users?

UPDATE

I added to Configure the WWWROOT as a static directory to set cache headers

 app.UseStaticFiles(new StaticFileOptions
 {
    FileProvider = new PhysicalFileProvider(
    Path.Combine(Directory.GetCurrentDirectory(), "WWWROOT"))
 });
 app.UseStaticFiles(new StaticFileOptions
    {
        FileProvider = new PhysicalFileProvider(
Path.Combine(Directory.GetCurrentDirectory(), "MyStaticFiles")),
        OnPrepareResponse = x =>
        {
            if (x.Context.User.Identity.IsAuthenticated)
            {
                return;
            }

            x.Context.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
        }
    });

Then authorization stop working.

yW0K5o
  • 913
  • 1
  • 17
  • 32
  • you may also find answer in [Static file authorization](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-2.1&tabs=aspnetcore2x#static-file-authorization) documentation – Set Jul 28 '18 at 19:18
  • I added this link to my question. Suggestions in the link are not working. – yW0K5o Jul 28 '18 at 19:26
  • 1
    Set, this is not a duplicate bc he is not trying to introduce some complex path authenticaion. – alsami Jul 28 '18 at 20:42
  • You have to only have one usestaticfile call. Combine them and everything should work. I am not sure if you are able to use two different directories. Static files should always be in wwwroot. – alsami Aug 01 '18 at 15:01
  • @alsami, My static files are located outside of the project. When I use the only one UseStaticFiles authorization works but also WWROOT directory's css/js files are blocked. – yW0K5o Aug 01 '18 at 15:09
  • This [answer](https://stackoverflow.com/a/45272058/3394380) calls UseStaticFiles twice. – yW0K5o Aug 01 '18 at 15:30
  • Possible duplicate of [How do I serve static files only to authorized users?](https://stackoverflow.com/questions/36775942/how-do-i-serve-static-files-only-to-authorized-users) – Dominus.Vobiscum May 29 '19 at 19:32

1 Answers1

6

Just do this

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        app.UseStaticFiles(new StaticFileOptions
        {
            OnPrepareResponse = x =>
            {
                if (x.Context.User.Identity.IsAuthenticated)
                {
                    return;
                }

                x.Context.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
            }
        });
        app.UseDefaultFiles();
    }
alsami
  • 8,996
  • 3
  • 25
  • 36
  • I added WWWROOT directory by using another instance of UseStaticFiles and the authorization code you proveded stop working. – yW0K5o Aug 01 '18 at 14:50
  • I don't know what you mean with you added another instance. – alsami Aug 01 '18 at 14:51
  • I updated the question with the new details. Thanks ! – yW0K5o Aug 01 '18 at 15:00
  • I start using exception instead of returning HTTP status code. Before `x.Context.Response.StatusCode = (int)HttpStatusCode.Unauthorized; ` After `throw new UnauthorizedAccessException();`. It works well. – yW0K5o Aug 05 '18 at 13:05
  • 1
    This will work only if the authentication scheme being used is the default authentication scheme, otherwise `HttpContext.User` will not be updated (see [this issue](https://github.com/aspnet/Security/issues/1318)). – Dominus.Vobiscum May 29 '19 at 19:30
  • How do you protect static files when the default authentication scheme is JWT? This doesn't work, I've tried implementing a middleware using custom authorization policies too. This only works if cookie authentication is enabled. – Nexus Aug 03 '20 at 08:57
  • **THIS METHOD DOES NOT WORK!** [It just changes the status code!](https://dev.to/j_sakamoto/how-can-i-protect-static-files-with-authorization-on-asp-net-core-4l0o#static-files-middleware-builtin-aspnet-core-provides-a-good-hook-point) – SWdV Sep 22 '21 at 22:29