Authentication of requests to *.htm resources via FormsAuthentication

S

Sergey V

Hi,

I need to cover by custom authentication algorithm both ASP.NET and other
resources within the site.
FormsAuthentication covers only resources beeing handled by ASP.NET. Other
generic resources can be retrieved without beeing logged on.

I'm trying to configure the site to handle all resources via ASP.NET. Is it
possible?

My results are

a.. Things are working OK under .NET 2.0 Development Server (started from
Visual Studio 2005)


b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html) are
not being authenticated.

Solved by adding ".*" extension mapping to ASP.NET


c.. Under WinSrv 2003 SP1 / IIS6 there are following problems

1.. .* - is not recognized as valid extension

2.. After mapping .htm to ASP.NET - .htm pages are not served anymore.
a.. Browser shows completely blank page
b.. HTTP Watch tracks ERROR_HTTP_INVALID_SERVER_RESPONSE error code,
response stream is empty
c.. IIS log on the server gives error code 200, i.e. OK
Any ideas to configure this correctly under WinSrv 2003?

Or probably there is some other better way to imlement custom authentication
instead of FormsAuthentication?



Best regards,

Sergey.
 
S

Sergey V

Yes,

this will work for *.htm files - though we have plenty of them in legacy
site. And proper configuration of the site will make much less headache.

But what about *.doc and *.xls files? The question is about any resource
within protected folders in general.
 
J

Joe Kaplan \(MVP - ADSI\)

The standard way to do this is to map the extensions you want served by
ASP.NET to ASP.NET in the script mappings in IIS (or just use a wildcard
map). Then, in your web.config file, you map the static file extensions to
the StaticFileHandler in the httpHandlers config section.

There are some drawbacks to doing this, but it will work for the most part.

IIS 7 makes this super easy.

Joe K.
 
S

Sergey V

Thanks Joe,

adding following to web.config really helps.

<system.web>
<httpHandlers>
<add path="*.htm" verb="GET,HEAD"
type="System.Web.StaticFileHandler" validate="True" />
</httpHandlers>
</system.web>

Can you provide more details about drawbacks? Do not want to have some
surpises on production site.

Thanks,
Sergey.


PS: MS is very short in his docs as usual.

Frequently Asked Questions
http://msdn.microsoft.com/asp.net/support/faq/default.aspx

Configuring ASP.NET 2.0
I used the ASP.NET configuration system to restrict access to my ASP.NET
application, but anonymous users can still view some of my files. Why is
that?

The features of the ASP.NET configuration system only apply to ASP.NET
resources. For example, Forms Authentication only restricts access to
ASP.NET files, not to static files or ASP (classic) files unless those
resources are mapped to ASP.NET file name extensions. Use the configuration
features of IIS to configure non-ASP.NET resources.

How do we use configuration features of IIS for this purpose? No details.
 
D

Dominick Baier

Hi,

on IIS 6 just add a wildcard mapping for ASP.NET - that's on the same dialog
where you add individual mappings -

add an entry that points to the 2.0 aspnet_isapi.dll - also uncheck "verify
that file exists"

afterwards you should remove the individual mappings, you also don't need
any handler mapped to .htm in web.config then.


this makes ASP.NET handle all requests in a very efficient fashion.

I don't see any drawback here.

dominick
 
J

Joe Kaplan \(MVP - ADSI\)

The drawbacks that I'm aware of are that it is much slower to route things
through ASP.NET that IIS could have handled directly. If performance is an
issue, you might want to test in this scenario and make sure you are still
meeting your stated perf goals.

As I recall, there is another functional drawback, but I can't actually
remember what it is. :) I don't think it is a major issue though. I'm
basically agreed with Dominick on this one.

Joe K.
 
D

Dominick Baier

the perf drawback is in 1.1 and IIS5

In 2.0 they use a new feature that bounces back requests in HandlerExecute
to IIS6 to serve them

Pre and Post Events still run - which is kinda close to whats happening in
IIS 7.

dominick
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,479
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top