Authorization on /document-viewer/GetDocumentPageImage

I’m trying to understand how to implement authorization on the GetDocumentPageImage when a user is viewing a page. Our initial request to render the viewer for a document has a check in our custom controller code, however this doesn’t impact subsequent requests to handler based rendering of thumbnails or pages.


Couple of questions:

  1. From the documentation (Replace HTTP Handlers) all request to the viewer outside of the initial loading are done through HTTP Handlers. If we set a an IPrincipal on the request to uthentication or not authenticated, would the Handler reject or deny those requests?

  2. Is it possible to replace the handler for /document-viewer/GetDocumentPageImage, to include a custom authorization check, could we then call into the base functionality for GetDocumentPageImage? Are there any code examples documentation to be had for this?
Any links to documentation would be appreciated.

Update: I can see we actually have the HttpHandlers disabled and are serving page requests out of GroupdocsViewerController. Same questions apply.

Thank you,

Mike

Hello Mike,

In general, GroupDocs.Viewer and its HTTP-handlers in particular don't have an authorization mechanizm - they simply obtain HTTP-request, perform some work (computation, processing etc.) and return a HTTP-response. They do not know and thus do not take into account any authentication tokens like ASP.NET cookie or URL token. That's why answer to your first question is - no, GroupDocs.Viewer don't care IPrincipal on the request.

As we understand, you want to put the web-page, where GroupDocs.Viewer widget is located, under "login/password protection", so only the authorized users can see the documents. In such case you need to create wrappers around all GroupDocs.Viewer HTTP-handlers, which take part in document rendering process. For image-based mode they are: "GetScriptHandler", "GetCssHandler", "ViewDocumentHandler", "LoadFileBrowserTreeDataHandler", "GetImageUrlsHandler", "GetDocumentPageImageHandler", "GetPdf2JavaScriptHandler". For other options like file downloading, printing, rotating etc you also need to wrap "GetFileHandler", "GetPdfWithPrintDialogHandler", "GetPdfWithPrintDialogHandler", "GetPrintableHtmlHandler", "ReorderPageHandler", "RotatePageHandler". For HTML-based rendering you also need several more HTTP-handlers, you can find all of them, for example, here: "How to use GroupDocs.Viewer for .NET in an ASP.NET Project"

The main idea of that wrapper is described here: "How to Replace HTTP Handlers to Set Up User Permissions in the GroupDocs.Viewer for .NET Library" You need to create your own HTTP-handler, which should supersede original handler. In your custom handler you check authorization status and if it is successful, you invoke the original handler.

About "GroupdocsViewerController". This controller is designed for ASP.NET MVC projects. For it, you don't need to specify HTTP-handler descriptors in web.config, but need to specify "Viewer.InitRoutes()" method. This method in fact is doing the next:

RouteCollection routes = RouteTable.Routes;
routes.MapRoute(
null,
"document-viewer/{action}",
new { controller = "GroupdocsViewer" }
);


So, in such case, for "overriding" original controller you need not to use "Viewer.InitRoutes()" method, but specify routes on one's own.

This way may be considered as a little bit harder, and it is not described in the manual, so you can use HTTP-handlers in MVC project without issues: just don't forget to specify ".UseHttpHandlers(true)" in the script loader helper parameters.

Best regards.

Hello Pavel,


Can you please provide some instructions on how to implement custom GroupdocsViewerController controller in MVC project?

So far I have added in RegisterRoutes in Global.asax:

routes.MapRoute(<o:p></o:p>

“GroupView”,<o:p></o:p>

“document-viewer/{action}”,<o:p></o:p>

new { controller = “DocsViewer” }<o:p></o:p>

);<o:p></o:p>


in Application_Start:

//Groupdocs.Web.UI.Viewer.InitRoutes();<o:p></o:p>

RegisterRoutes(RouteTable.Routes);<span style=“font-size:10.0pt;line-height:
107%;font-family:“Segoe UI”,sans-serif”><o:p></o:p>


And a new controller class

public class DocsViewer : Groupdocs.Web.UI.Controllers.GroupdocsViewerController<o:p></o:p>

{

}<o:p></o:p>


<span style=“font-size:10.0pt;line-height:107%;font-family:
“Segoe UI”,sans-serif”>

<%= Viewer.CreateScriptLoadBlock().LoadJquery(true).LoadJqueryUi(true).UseHttpHandlers(false) %><span style=“font-size:10.0pt;font-family:
“Segoe UI”,sans-serif”><o:p></o:p>

But I get an error: The controller for path ‘/document-viewer/CSS/GetCss’ was not found or does not implement IController.

I need to add security so that only authorized users can access these methods.

Thank you!

Hello Deric,


Thank you for the request. For how to use Viewer in the MVC project please check this article .

Best regards.

Hi Pavel,

I have successfully implemented Viewer in MVC project.

Could you please provide some instructions how to override GroupdocsViewerController for security purposes (mentioned in post 8552)?

Thank you!

Hello Deric,


I’m glad to hear that you have successfully implemented Viewer. As for the security please check this documentation especially “Implementing an HTTP Module for Providing Security Services” it will describe how to handle authentication.

About override - please check this article

Best regards.

Thank you for the links, Pavel.

If I understand you correctly, I cannot override GroupdocsViewerController in MVC application and have to use handlers instead?

<%=Viewer.CreateScriptLoadBlock().LoadJquery(true).LoadJqueryUi(true).UseHttpHandlers(false)%>


UseHttpHandlers

if true, the Viewer uses its ASP.NET HTTP-handlers to handle requests; if false, the Viewer uses its ASP.NET MVC controller to handle requests.

Hi again,


No, you have missunderstand me, sorry for not clear description. You can override it as described in the common ASP.NET documentation (because it’s a basics). You just need to create your own class which will extend GroupDocs.Viewer class with your custom security functional and add route for it in to the Viewer.InitRoutes method.

As for the handlers - I have shared it with you as an alternative way and should should select which one is more simple and suitable for you. And yes, if you will choose this approach you will need to set .UseHttpHandlers(true).

Best regards.

Hi Pavel,


I can’t override methods in GroupdocsViewerController class (please see attached).
Is there another class that I can use?

Thank you!

Hello Deric,


In such case you can do next: create some wrapper around the controller, which will check authorization, and if it is successful, then pass parameters to the controller.

Best regards.

Hi Pavel,


I have added custom controller with new methods and new routing in this project.
Can you please take a look and let me know why viewer is not working?

Thank you!

Hello Deric,


Sorry for the delay and thank you for the project example. We will investigate and fix it for you. Then we will come back to you.

Best regards.

Hello Deric,


Sorry that this taken so many time. But when we tried to fix your issue we found out a bug in our library. It means that you can’t use ViewerController in such approach. The issue will be fixed in the Viewer 2.16.0 and example project will be also created for this feature.

As a workaround you can use approach which we described in our previous posts - you need to create wrappers around all GroupDocs.Viewer HTTP-handlers, which take part in document rendering process. For image-based mode they are: “GetScriptHandler”, “GetCssHandler”, “ViewDocumentHandler”, “LoadFileBrowserTreeDataHandler”, “GetImageUrlsHandler”, “GetDocumentPageImageHandler”, “GetPdf2JavaScriptHandler”. For other options like file downloading, printing, rotating etc you also need to wrap “GetFileHandler”, “GetPdfWithPrintDialogHandler”, “GetPdfWithPrintDialogHandler”, “GetPrintableHtmlHandler”, “ReorderPageHandler”, “RotatePageHandler”. For HTML-based rendering you also need several more HTTP-handlers, you can find all of them, for example, here: “How to use GroupDocs.Viewer for .NET in an ASP.NET Project”

The main idea of that wrapper is described here: “How to Replace HTTP Handlers to Set Up User Permissions in the GroupDocs.Viewer for .NET Library” You need to create your own HTTP-handler, which should supersede original handler. In your custom handler you check authorization status and if it is successful, you invoke the original handler.

Summing all these: you have two variants - 1. Wait for the new version of the library with example project. 2. Use HTTP handlers approach.

Best regards.

Hello Pavel,


Thank you for your hard work on this! We are looking forward to the fix in new version of library. In the meantime could you please provide me with ticket number (I can’t see it here) or should I open another thread that could be flagged with issue number since I am not the original poster here?

Hi Deric,


Thank you for understanding. Please try to refresh the web page with this thread , looks like you see cached version, the ticket attached to the first post.

Best regards.

Hi Pavel,


I have deleted cache, but I still can’t see ticket information (attached is screenshot). Is it because another user has started this thread?

Hi again,


Yes, could be that it’s a reason of why you can’t see it. Create a new thread and I will attache ticket id to it.

Best regards.