1

Here's what we're trying to do:

Our react SPA is calling the API of a 3rd party ASP.NET application running in the user's intranet. The user authenticates against the application using his AD credentials. The current API returns paths to local (intranet) files and resources (among other data, of course). We should allow the users of our webapp to download/open these files from their browser.

As accessing the path from the browser directly (<a href="file://share/my/folder/myfile.pdf"> Open </a>) does not work due to security reasons, the only way I can think of is to request a new API endpoint from the 3rd party to read the file in the backend and stream it. But as I'm not familiar with .NET and IIS, I don't know if it's possible to read the file with the permissions of the currently logged in user. I read about impersonation & delegation but couldn't figure out if it would work in our case and whether it's safe to use. Can it be used for this operation only, without affecting the rest of the API?

To sum up: Is it reasonable to request this from the backend? Or is there an alternative that we can implement in the frontend?

Timi
  • 774
  • 9
  • 16
  • if `file://` is restricted, what about `http://`? – Nick.Mc Sep 10 '19 at 10:18
  • Are you trying to reinvent SharePoint? If you're going to deploy a web app that lets its users download files from an SMB share, then you're going to run into trouble. Because they will download a _copy_. So if someone clicks on a Word document, their browser downloads it from your API, and they start editing it. When they hit Save and close Word, their changes will not be propagated back to the share. You really got to reconsider your requirements. – CodeCaster Sep 10 '19 at 10:26
  • @CodeCaster, no, our main requirement is searching for information on the intranet (aggregating various sources of data). Users can then open the original documents/emails/webpages associated to search results. The main usecase is reading the available data, not updating it. But you have a valid point, we should warn the users that their potential changes will not be saved back automatically. – Timi Sep 10 '19 at 11:49
  • @Nick.McDermaid, I don't really understand your question... Local file access is restricted from the browser (at least in chrome) - see https://stackoverflow.com/questions/28724751/open-local-filesfile-using-chrome. HTTP is obviously not. That's why the solution is to serve the file through HTTP from the backend, but we need to consider the permissions of the user. – Timi Sep 10 '19 at 12:04
  • I'm probably missing something here but if you set up a virtual directory in IIS pointing at a folder full of files, you can open those files through a browser (over `http:`, not `file:`). I'm not 100% on preserving the windows authorisation but I imagine it should be possible. – Nick.Mc Sep 10 '19 at 12:13
  • Right, except I need to be able to access files from anywhere in the network. More precisely, an admin can configure the locations that are indexed by the application and from where search results will show up. This is done in an administration UI - can it perhaps be linked to adding a virtual directory in IIS automatically, without a restart? – Timi Sep 10 '19 at 12:28
  • "I need to be able to access files from anywhere in the network." you can. The files are served through IIS (it's easiest if IIS is on the same server as the files but you can create a virtual directory on a remote share). Anyone on the network can access IIS. So if you can get your mystery app to generate a URI that reflects that instead it should all work. – Nick.Mc Sep 10 '19 at 12:44
  • Adding a new network location in the admin UI - "can it perhaps be linked to adding a virtual directory in IIS automatically, without a restart?" – Timi Sep 11 '19 at 06:47
  • I don't know anything about the capabilities of your app. Why don't you experiment with _Directory Browsin_ in IIS. It doesn't need to be done this way but it'll get you started – Nick.Mc Sep 11 '19 at 09:28
  • Well, thanks for the tips, I'll explore more in this area. You could add an answer with the virtual directory solution. – Timi Sep 11 '19 at 13:59

0 Answers0