This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 25%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
I implemented a solution in Blazor webassembly that allows the user to upload an image and store the file on the server and the filepath in the database. When I load the image on client I send the image from the sever to client as bytes and transform the image bytes in a base64 string and display the image. This works well but from what I read, this is not a good practice because the base64 tranformation is increasing the file size by 30% and the images cannot be cached on client. I would want to let the browser download the file from the server path and display the image. My questions are the following:
How do I set the server 'root' location in order for the browser to know where to get the files ? I'm using IWebHostEnvironment on the server to get the local path.
Is there any way to secure the files to allow only the authorised user to download the files from the server ?
Should I add the images in the same folder as the solution or I should make a different folder outside of the solution ?
I'm currently using IIS Server with ASP.NET CORE 5 in a Blazor WebAssembly solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
as the permission is tied to the value of a passed parameter, it would be difficult to do a generic solution.
You action could return the image as file, then you Blazor code sets an image src the webapi action urls.
If you want to use the static file handler, be sure to configure security before the static handler. Put the images in a folder under wwwroot.
The index page should have set the base ref, so you just use /folder/imagepath
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 52%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFH%3C/text%3E%3C/svg%3E)
Is there any way to secure the files to allow only the authorised user to download the files from the server ?
Hi @Daniel Avadanei , to achieve your requirement of protecting/securing static files, as @Bruce (SqlWork.com) mentioned, you can try to create a controller action method with the [Authorize] attribute to serve those static files by return a FileResult object, like below.
[HttpGet("/FetchImageAndVideo/{type}/{filename}")]
[Authorize]
public IActionResult FetchImageAndVideo(string filename, int type)
{
//...
//code logic here
//...
var contentType = type == 1 ? "image/jpeg" : "video/mp4";
var filePath = Path.Combine(_env.ContentRootPath, "MyImagesAndVideos", $"{filename}");
if (!System.IO.File.Exists(filePath))
{
contentType = "image/jpeg";
filePath = "default_notfound_image_path_here";
}
return PhysicalFile(filePath, contentType);
}
Accessing a specific file from frontend code, like below.
src="https://xxxxx/FetchImageAndVideo/2/mytestvideo.mp4"
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
With Regards,
Fei Han
I understand the authorize header, but how do I also verify the identity of the user that is trying to acces the resource ? Users should not access the images/videos that do not belong to them. What I did was to verify that the bearer token sent in the http header was issued to the user that is trying to acces the resource but this is also requiring another call to the database in order to check the association between the user identity and the resource. I there any way I could user the Authorize attribute to do that ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 79%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I may be wrong but, for that, I think that you should inject your authentication state provider by creating a public property of AuthenticationStateProvider type and populating it via the constructor
public AuthenticationStateProvider UserStateProvider { get; set; }
public MyControllerClassName( AuthenticationStateProvider stateProvider /*, Whatever arguments you have*/)
{
UserStateProvider = stateProvider;
// [ . . . ]
}
ASP.NET takes that as a dependency injection and inject the proper dependencies to your controller
After that, you can use your UserStateProvider to get the current user id and do whatever types of checks you want