How to secure a folder containing HTML5 videos by Kentico Role

Gregg Duncan asked on December 9, 2020 20:44

Here's the scenario: We have many HTML5 videos (each video is a folder containing and HTML page and all the assets in subfolders to run an interactive video). I need to create a page with a repeater that will show a list of links which when clicked, will play the selected video. However, these video's are NOT for public consumption.

My plan is store the videos in a folder on the web server. Then create a custom table storing the path and name of the video and use a custom table repeater on the page. I can add security to the page containing the repeater so that only those with the proper kentico role can view the page. So far so good.

The problem is that if someone clicks a link in the repeater and goes to the video. They can then copy the URL and send it to anyone who can then access the video without event being logged into kentico because the access to the folder is comes from the App Pool user not from a kentico role.

How can I store these videos on the webserver and display them to the authorized users but protect them from unauthorized access? Or is there a better way to accomplish this goal?

Recent Answers

Juraj Ondrus answered on December 10, 2020 12:24

I would try using the web.config configuration as for any other application and physical paths, like:
< location path="/somepath" >
< system.web > < authorization>
< deny users="?" />
< /authorization>
< /system.web>
< /location>

You can also add it through the IIS console and specify users or roles.

0 votesVote for this answer Mark as a Correct answer

Gregg Duncan answered on December 10, 2020 21:19

Thanks Juraj. For anyone else with a similar issue, I found a working solution using the IIS Url Rewrite module.

If a request comes through IIS for the folder containing the videos and the HTTP_REFERER is not my domain. Then I rewrite the url to point to the pages containing the links. They can then click the link to view the video. If the user is not logged in they get sent to the login page. Those without access will be denied by the login page.

The rewrite rule looks like this:

<rewrite>
    <rules>
        <rule name="Protect Videos" enabled="true" stopProcessing="true">
            <match url="^TrainingVideos/.*" />
            <conditions>
                <add input="{HTTP_REFERER}" pattern="https://mydomain.com/.*" negate="true" />
            </conditions>
            <action type="Rewrite" url="Home/Training" appendQueryString="false" />
        </rule>
    </rules>
</rewrite>
0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.