Check if a Word doc is password protected prior to uploading it to a web site

I apologize for the delay between blogs.  Switched jobs within Microsoft last December and moved from Texas to Southern California as part of that transfer.  Needless to say, I've been insanely busy :-)

Anyway...this was an interesting question I received a couple months back and have been meaning to blog about it.  The problem:  How can you check if a Word document is password protected when uploading it to an ASP.Net based application? 

This may not seem that could upload the file to the server, then load the Word Object Model on the server and check some properties.  Not so fast there!  The problem with this approach is that leveraging the Office Object Model in a service based process [i.e. non-interactive] is not supported.  Someone wrote a Knowledge Base article on this, and if you call in to support for help with a hanging ASP.Net application and you are automating Office, this will likely be the link you will receive in the email explaining what's going on: 

257757  Considerations for server-side Automation of Office;EN-US;257757

Without being able to load the Office DLL's into the ASP.Net application pool, this leaves you with running some code on the client to perform the check.  I came up with a sample that leverages JavaScript, a .Net Winform control running in the browser, and a File Upload control to do this work.  The idea was to only leverage the .Net Winform control to check if the file was password protected.  The sample also shows how to handle events across the Winform control and JavaScript. 

The general process is:

  1. User types in or selects a file by clicking the Browse button generated by the File Upload HTML control
  2. When the focus moves away from this control, JavaScript runs that sets a public property on the WinForm control to the FileName the person is uploading.
  3. When the user clicks Submit, which is the WinForm control, code runs to open the Word Document to determine that the file is password protected.  If the file is not password protected, the OnSubmitClick event is fired.
  4. There is JavaScript in the ASPX page that listens for the OnSubmitClick event and submits the form when this fires.  This posts the file to the server.

The code is a sample, there could be more checks to ensure that Word is installed on the box and ensuring that they are selecting a supported file extension, but the idea is the same.  The Submit button or file upload control could use some look-and-feel changes to make them look the same.  There are two projects in the attached Zip file:

  • Uploader – this is the WinForm project.  The .cs file is commented with the details.
  • UploaderTest – this is an ASP.Net project.  Both the ASPX and the .cs file are fully commented.

The only downside to having to run the .Net code on the client is client-side permissions.  By default, code running in the browser runs in one of 3 Code Access Security (CAS) groups that have varying levels of restriction (LocalIntranet, TrustedSites, and Internet).  None of which give access that you need to do what you want.  If the URL does not contain periods [typically only in an Intranet environment], give the LocalIntranet zone FullTrust to have your code run or you can create a custom security code group to fully trust your specific URL.  If the URL has periods, it will run in the InternetZone by default.  Here are the steps in case you are unfamiliar:

1.       On the client machine
2.       Open Administrative Tools
3.       Open the latest .Net Configuration (1.1 or 2.0 Framework)
4.       Expand My Computer | Runtime Security Policy | Machine | Code Groups
5.       Right-click All_Code, select New…
6.       Fill in the Name and click Next
7.       From the “Condition type” dropdown, select URL
8.       For the URL, type in the path to the directory hosting the ASPX and DLL:  http://web01/myapp/*
9.       Click Next and use Full Trust and finish the wizard

Good luck!