a urlauthorization question

G

Guest

Hi All,

I create a personal website by using the vb templete in VS 2005, then i
changed the web.config like this:
<location path="Images">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

after save web.config, i open the url:
http://localhost/personalwebsite/images/imgfile.jpg

i can see the picture, is there any other thing that i need to do?

Thanks
 
S

Steven Cheng[MSFT]

Hi Pony,

Yes, as shimon has mentioned, if you want to let the image files also
utilize the ASP.NET url authorization protection, you need to configure the
IIS to forward requests (for those image files) to ASP.NET's extension
dll(aspnet_isapi.dll).

Basically, in IIS, most request for static files, such as txt, css, gif,
jpg, js..... will be directly processed by IIS instead of ASP.NET runtime
engine. that's why you find that the protection rules(url authorizaiton)
you set in web.config doesn't take effect for image files. To configure
this, you can use the IIS manager (inetmgr.exe) and locate your
application's virtual directory, in the property dialog, choose "virutal
directory" tab, and click the "Configuration" button on the sheet, you'll
find all the extension mapping for that virtual directory( generally
they're inherited from parent virtual directory or IIS site). You can add a
new extension for the file extension which you want to let ASP.NET process
it. Here is a web article which has mentioend on such setting:

#Protecting Files with ASP.NET
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx

#Setting Application Mappings in IIS 6.0 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4
c840252-fab7-427e-a197-7facb6649106.mspx

BTW, basically it will have better performance if we let IIS directly
process those static files, so you need to think it over whether you do
need to let ASP.NET take the ownership of the processing on those requests.

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

Thanks Steven,
Actually i want to protect our documents by using urlauthorization, as you
say, it will reduce iis performance, any suggest ? or just change the
authorization mode to windows?
 
S

Steven Cheng[MSFT]

Thanks for your response Pony,

If you do need to redirect those static files' request from IIS to ASP.NET
runtime, I'm afraid these hasn't any good means to optimize the performance
since the overhead is not avoidable.

I'm not very sure your detailed scenario on those static files or documents
that need protection. However, IMO, if you have some documents that need
protected accessing, I think you can consider put them into database and
use an HTTPHandler to dynamically stream them out to client-side, thus we
can provide role based (or other security protection) against that
httphandler. Also, for other normal static document or files, just still
put them in IIS virtual directory and let IIS process them.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

Hi Steven,

This maybe a stupid scenario, i don't know it's possible or not.

If i create a website, set authentication mode to forms, and put the protect
documents or files in a directory that anomynous user can not access, when
the client login from a login form success, the client will be anomynous
user, but i can check this user's roles, if the roles can access the protect
documents or files, can i impersonate the client user to a windows user that
can access the protect documents or files?

Reguards

Pony
 
S

Steven Cheng[MSFT]

Thanks for your followup Pony,

If you're using formsauthentiation, that means you will configure IIS to
allow anonymous access, then the login windows account (from IIS) will be
the IIS anonymous account. After that , if you want to programmatically
impersonate the ASP.NET to execute under a certain windows user account,
you need to provide clear text username/password(do you think it possible
in your scenario?). I still recommend you consider put your protected
documents in a certain protected place like a physical dir (which can not
be accessed through internet user directly) or in database, then let your
application to programmatically retrieve them based on the application
roles(associated with the client user ---authenticated by
formauthehntication).

If you have any other ideas or questions, please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

Hi Steven,

I think i need to study the httphandlers, is there any "How TO" or "Step by
Step" documents about httphandlers?

Thanks
 
S

Steven Cheng[MSFT]

Thanks for your response Pony,

I think you can have a look at the ASP.NET server http pipeline and the
request/response processing model first. Also, being familiar with the
IIS's application extension mapping and how the request get processing and
forward in IIS will also be very helpful. You can find many such info in
MSDN or TECHNET website.

In addition ,here are some good web articles you can have a look:

#Securely Implement Request Processing, Filtering, and Content Redirection
with HTTP Pipelines in ASP.NET
http://msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipelines/

#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
http://support.microsoft.com/default.aspx?scid=kb;en-us;307985

#Extending ASP.NET with HttpHandlers and HttpModules
http://www.devx.com/dotnet/Article/6962/0/page/3

#How ASP.NET Web Pages are Processed on the Web Server
http://aspnet.4guysfromrolla.com/articles/011404-1.aspx

Hope this also helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top