Securing file access in Azure Storage using WebApi

0
votes

I've developed an application which users can upload their files and share them with each other. The files are some private files for each user and public files like profile pictures. I'm storing the files in Azure File Storage.

Assume that I have a method to retrieve a file with its id: I've implemented the permissions in the file access methods in WebApi controllers.

Is Azure File Storage is proper storage type for this scenario?

What is the best way to retrieve the files from Azure Storage? Should I read the files server-side (using Azure .NET SDK) and stream them to the clients? Is there any way to avoid streaming the file in WebApi then clients can access the file directly from Azure File Storage (considering the permission)?

Thanks

3
azureasp.net-web-apiazure-storage-blobsazure-cdnazure-storage-files

3 Answers

2
votes

Azure File Storage exists mainly to allow lift and shift of legacy applications to the cloud. I would recommend using Blob Storage combined with SAS tokens for your problem. Using the SAS tokens you can control access permissions on a blob level. And this avoids the need to get your files on the web server first, before relaying them to the end users.

1
votes

SAS and REST access are supported in both Azure Files and Azure Blob Storage. Azure Files support other key scenarios besides life & shift. Although a bit old, this article (https://blogs.msdn.microsoft.com/windowsazurestorage/2014/05/12/introducing-microsoft-azure-file-service/) explains the difference between Azure Blob vs Azure Files vs. Azure Disks. You should also factors such as size limit for your share, folder structure, ability to natively mount to a VM, maximum file/object size, throughput requirements, pricing, SMB/REST support and etc. If you still have questions, please send an email to azurefiles AT microsoft.com and we will be happy to review your scenario and recommend the option suitable to your usage scenario.

Aung

1
votes

As I know, we can use Azure blob storage to store your files. Azure blob Storage containers provide three access level: Full public read access, Public read access for blobs only, no public read access. Refer to this article for more details. For your scenario, please save private files in “no public read access”, and save public file in “Public read access for blobs only”. So that the user cannot access your private files but can read your public files. If you want to share private files to others, please try SAS as LoekD mentioned. If you want to expired the SAS token in server side. Please try to use SAS policy to do it. Read this article for more details.