The Static File Middleware doesn’t provide authorization, all files served by this middleware are publicly accessible. Static files are stored in the following directories:
- Web root directory -
{content root}/wwwroot- it’s the default directory - you can also serve files outside the Web root directory by specifying it in the
UseStaticFilesmethod as below:
public void Configure(IApplicationBuilder app)
{
app.UseStaticFiles();
app.UseStaticFiles(new StaticFileOptions
{
FileProvider = new PhysicalFileProvider(
Path.Combine(Directory.GetCurrentDirectory(), "PublicFiles")),
RequestPath = "/pf"
});
}
So if you want to serve files with authorization you should:
- make sure that your file is not in any directory or subdirectory specified in the
UseStaticFilesmethods, - serve it via an action method in which the
Authorizeattribute is applied.
The following code is an example of such action:
[Authorize]
public IActionResult GetSecretDocument()
{
var file = Path.Combine(Directory.GetCurrentDirectory(),
"SecureFiles", "secret.pdf");
return PhysicalFile(file, "application/pdf");
}
The complete example you should find on the GitHub repository.