Serving files outside wwwroot (non-url-accessible)

I am looking for functionality in IIS that is similar to <cfcontent> in that I can hand back any file the web server has access to, not just ones that are URL-accessible and mapped within IIS.  Basically I want IIS to be able to serve non-URL-accessible files. Does anyone know a way to do this? -James

IIS is a web server, all it does is serve files that are web accessible. Unless you're performing some kind of logic (user authentication, for example) in conjunction with serving the protected content (which IIS can't do), there is no reason not to make it web accessible directly. The best you can do is extend the web accessible content to other directories with virtual mappings (aliases, in Apache-speak).  That will let you map an arbitrary directory on the server to a specific directory path on the URL, thereby adding that directory to your web space, even though it's not in the web root. Cheers, barneyb ----- Excess quoted text cut - see Original Post for more -----

Barney, Thanks for the quick reply!  Yes, I do have user authentication in place and serve certain files using <cfcontent> only when the user is logged in.  I am looking for a way to accomplish the <cfcontent> part totally within IIS. Perhaps using an ISAPI filter extension? -James

... also, in order to protect the files, I don't want to use virtual mappings. -James

You pretty much have to do the user authentication and the checking of credentials before serving the file with the same system (CF in this case). You can get around it in certain situations (like using basic authentication and the CFLOGIN tag), but mostly you cant. You can certainly offload both tasks to IIS, but I'm pretty sure IIS can only secure stuff based on OS user accounts, which may or may not work in your case.  You'd just set up a virtual mapping to that folder, and then on that mapping, disallow anonymous access.  Then users would have to log in before they could get any files from there. However, if you don't want to use a virtual mapping, and the files aren't in your web root, then IIS can't serve them.  End of story.  You'll have to use some kind of plug in (like ColdFusion or ASP) to do it for you. Cheers, barneyb ----- Excess quoted text cut - see Original Post for more -----

This might be of some help to you... http://www.flicks.com -Novak You pretty much have to do the user authentication and the checking of credentials before serving the file with the same system (CF in this case). You can get around it in certain situations (like using basic authentication and the CFLOGIN tag), but mostly you cant. You can certainly offload both tasks to IIS, but I'm pretty sure IIS can only secure stuff based on OS user accounts, which may or may not work in your case.  You'd just set up a virtual mapping to that folder, and then on that mapping, disallow anonymous access.  Then users would have to log in before they could get any files from there. However, if you don't want to use a virtual mapping, and the files aren't in your web root, then IIS can't serve them.  End of story.  You'll have to use some kind of plug in (like ColdFusion or ASP) to do it for you. Cheers, barneyb ----- Excess quoted text cut - see Original Post for more -----   _____  

> You pretty much have to do the user authentication and the > checking of credentials before serving the file with the same > system (CF in this case). > You can get around it in certain situations (like using basic > authentication and the CFLOGIN tag), but mostly you cant. I'm sure you realize this, but it's worth pointing out that this doesn't really get around IIS authentication, it just makes it easy to integrate IIS authentication with your CF application. > You can certainly offload both tasks to IIS, but I'm pretty > sure IIS can only secure stuff based on OS user accounts, > which may or may not work in your case.  You'd just set up a > virtual mapping to that folder, and then on that mapping, > disallow anonymous access.  Then users would have to log in > before they could get any files from there. By default, this is correct, although there are third-party ISAPI filters which will allow you to authenticate against something other than the operating system itself. CoolFusion has one, I believe. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

> Thanks for the quick reply!  Yes, I do have user > authentication in place and serve certain files using > <cfcontent> only when the user is logged in.  I am looking > for a way to accomplish the <cfcontent> part totally within > IIS. Perhaps using an ISAPI filter extension? You could certainly write an ISAPI filter which would do this - basically, it would take requests for a specific URL pattern, and respond to those requests by returning a specific file. However, I'm not sure why you can't just make those files web-accessible, if you're going to do that. If the point is to rely on IIS authentication, you can enable this within the IIS Management Console on a per-directory or even per-file basis. If the point is to avoid IIS authentication and act as the IIS anonymous login user, the ISAPI filter wouldn't add any useful functionality to that process, as it would then take any request, authenticated or not, and respond the same way. Or am I missing something with your question? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

I want to totally avoid IIS authentication.  I'm using my own non-OS username/password authentication method on a separate server which my download server will invoke when a request is made.  Once the request is authenticated successfully, I want to serve the file out of a non-web-accessible folder on the download server.  Thus I can't make the folders web-accessible because they would be open for anyone to download anonymously. No CF service is installed on my download server; so I suppose the solution would be to use an ASP script to send the file as Barney suggests. -James

But by serving the file out...doesn't that essentially make it web accessible?  You're accessing the file via the web.  That makes it web accessible.  It may not be directly accessible, but it's still accessible. John I want to totally avoid IIS authentication.  I'm using my own non-OS username/password authentication method on a separate server which my download server will invoke when a request is made.  Once the request is authenticated successfully, I want to serve the file out of a non-web-accessible folder on the download server.  Thus I can't make the folders web-accessible because they would be open for anyone to download anonymously. No CF service is installed on my download server; so I suppose the solution would be to use an ASP script to send the file as Barney suggests. -James

----- Excess quoted text cut - see Original Post for more ----- There are, of course, always alternatives. You might get a third-party ISAPI filter that lets you perform authentication using your own scheme. Or, you could create symbolic links to specific non-web-accessible directories, and destroy those links after some set period of time. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

John, Yes, in effect they are web-accessible -- but only after the user has been authenticated by my auth server. Dave, I was hoping to avoid the link method because of what's involved with the cleanup overhead.  But that's definitely a possibility.  Thanks for the tip. - Really what I'm after is a compact method of serving non-web-accessible files using my own authentication without too much overhead on ther download server.   If I could have done it all in IIS, that would have been nice.  Apparently that doesn't look possible.  But it looks like the ASP method will take very little overhead.  Don't you think? -James

James, Did you go and take a look at Authentix or WebQuota over on the Flicks Software site?  I've used that in the past without any problems.  Works well... http://www.flicks.com -Novak John, Yes, in effect they are web-accessible -- but only after the user has been authenticated by my auth server. Dave, I was hoping to avoid the link method because of what's involved with the cleanup overhead.  But that's definitely a possibility.  Thanks for the tip. - Really what I'm after is a compact method of serving non-web-accessible files using my own authentication without too much overhead on ther download server.  If I could have done it all in IIS, that would have been nice.  Apparently that doesn't look possible.  But it looks like the ASP method will take very little overhead.  Don't you think? -James   _____  

> Really what I'm after is a compact method of serving > non-web-accessible files using my own authentication without > too much overhead on ther download server.  If I could have > done it all in IIS, that would have been nice.  Apparently > that doesn't look possible.  But it looks like the ASP method > will take very little overhead.  Don't you think? I suspect it'll take just as much overhead as using CFCONTENT. What are you using as an "auth server"? Why not look into third-party authentication modules? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

Sorry, but I'm not at liberty to talk about the authentication.  I can't use CFCONTENT because CF will not be installed on my download server. Thanks VERY much guys for all of your help!! -James

Haven't really been following the thread, but..... Why not set your files into a file outside the wwwroot, but make sure the CF service account has read access to that folder.  Then, you can use cfcontent to push the file to the client, or use cffile to read the file then use the contents to create the output.  Both these methods would allow you to apply your custom authentication first, yet the end user would not be able to navigate directly to the the file. My appologies if this method has been discussed already. Shawn But by serving the file out...doesn't that essentially make it web accessible?  You're accessing the file via the web.  That makes it web accessible.  It may not be directly accessible, but it's still accessible. John I want to totally avoid IIS authentication.  I'm using my own non-OS username/password authentication method on a separate server which my download server will invoke when a request is made.  Once the request is authenticated successfully, I want to serve the file out of a non-web-accessible folder on the download server.  Thus I can't make the folders web-accessible because they would be open for anyone to download anonymously. No CF service is installed on my download server; so I suppose the solution would be to use an ASP script to send the file as Barney suggests. -James   _____