in IIS, Is there a way to define some kind of a filtering rule to deny access to files within a virtual directory unless the requests are "pre signed" by some sort of an encrypted query string? Also is there a way to make the request expire? I can't find a way to have control over this.
What I'm looking for is very similar to what Amazon S3 Amazon.S3.Model.GetPreSignedUrlRequest.Expires
property delivers, but in IIS. Here is a link to the Amazon S3 sample code.
Scenario of the desired goal:
Requesting: http://MyServerName/MyFolderThatIsAddedAsAVirtualDirectoryToDefaultWebsiteInIIS/MyImage.jpg should always result in "Access Denied" by default. However, having a particular query string appended to the request URL should give access to the file. Also, I need the URL to expire after a certain period of time until a new valid query string is provided.
You will need some sort of HTTP Module here to deal with this as there is custom logic to implement for QueryString matching and expiration.
public class HttpFilterModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.BeginRequest += context_BeginRequest;
}
void context_BeginRequest(object sender, EventArgs e)
{
var qs = HttpContext.Current.Request.QueryString["SomeKeyToCheck"];
var url = HttpContext.Current.Request.Url;
if (MatchesUrl(url))
{
if (!IsAuthenticatedByQueryString(qs))
{
HttpContext.Current.Response.StatusCode = HttpStatusCode.Unauthorized;
HttpContext.Current.Response.End();
}
}
}
private bool IsAuthenticatedByQueryString(string qs)
{
// implement code here to check qs value
// probably against a DB or cache of tokens
return true;
}
private bool MatchesUrl(Uri url)
{
// implement code here to match the URL,
// probably against configuration
return true;
}
}