Authentication of requests to *.htm resources via FormsAuthentication

Discussion in 'ASP .Net' started by Sergey V, Jul 18, 2006.

  1. Sergey V

    Sergey V Guest

    Hi,

    I need to cover by custom authentication algorithm both ASP.NET and other
    resources within the site.
    FormsAuthentication covers only resources beeing handled by ASP.NET. Other
    generic resources can be retrieved without beeing logged on.

    I'm trying to configure the site to handle all resources via ASP.NET. Is it
    possible?

    My results are

    a.. Things are working OK under .NET 2.0 Development Server (started from
    Visual Studio 2005)


    b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html) are
    not being authenticated.

    Solved by adding ".*" extension mapping to ASP.NET


    c.. Under WinSrv 2003 SP1 / IIS6 there are following problems

    1.. .* - is not recognized as valid extension

    2.. After mapping .htm to ASP.NET - .htm pages are not served anymore.
    a.. Browser shows completely blank page
    b.. HTTP Watch tracks ERROR_HTTP_INVALID_SERVER_RESPONSE error code,
    response stream is empty
    c.. IIS log on the server gives error code 200, i.e. OK
    Any ideas to configure this correctly under WinSrv 2003?

    Or probably there is some other better way to imlement custom authentication
    instead of FormsAuthentication?



    Best regards,

    Sergey.
     
    Sergey V, Jul 18, 2006
    #1
    1. Advertising

  2. RE: Authentication of requests to *.htm resources via FormsAuthenticat

    Why not just rename the .htm files as .aspx files?

    "Sergey V" wrote:

    > Hi,
    >
    > I need to cover by custom authentication algorithm both ASP.NET and other
    > resources within the site.
    > FormsAuthentication covers only resources beeing handled by ASP.NET. Other
    > generic resources can be retrieved without beeing logged on.
    >
    > I'm trying to configure the site to handle all resources via ASP.NET. Is it
    > possible?
    >
    > My results are
    >
    > a.. Things are working OK under .NET 2.0 Development Server (started from
    > Visual Studio 2005)
    >
    >
    > b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html) are
    > not being authenticated.
    >
    > Solved by adding ".*" extension mapping to ASP.NET
    >
    >
    > c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
    >
    > 1.. .* - is not recognized as valid extension
    >
    > 2.. After mapping .htm to ASP.NET - .htm pages are not served anymore.
    > a.. Browser shows completely blank page
    > b.. HTTP Watch tracks ERROR_HTTP_INVALID_SERVER_RESPONSE error code,
    > response stream is empty
    > c.. IIS log on the server gives error code 200, i.e. OK
    > Any ideas to configure this correctly under WinSrv 2003?
    >
    > Or probably there is some other better way to imlement custom authentication
    > instead of FormsAuthentication?
    >
    >
    >
    > Best regards,
    >
    > Sergey.
    >
    >
    >
     
    =?Utf-8?B?Y2xpY2tvbg==?=, Jul 18, 2006
    #2
    1. Advertising

  3. Sergey V

    Sergey V Guest

    Re: Authentication of requests to *.htm resources via FormsAuthenticat

    Yes,

    this will work for *.htm files - though we have plenty of them in legacy
    site. And proper configuration of the site will make much less headache.

    But what about *.doc and *.xls files? The question is about any resource
    within protected folders in general.

    "clickon" <> wrote in message
    news:D...
    > Why not just rename the .htm files as .aspx files?
    >
    > "Sergey V" wrote:
    >
    >> Hi,
    >>
    >> I need to cover by custom authentication algorithm both ASP.NET and other
    >> resources within the site.
    >> FormsAuthentication covers only resources beeing handled by ASP.NET.
    >> Other
    >> generic resources can be retrieved without beeing logged on.
    >>
    >> I'm trying to configure the site to handle all resources via ASP.NET. Is
    >> it
    >> possible?
    >>
    >> My results are
    >>
    >> a.. Things are working OK under .NET 2.0 Development Server (started
    >> from
    >> Visual Studio 2005)
    >>
    >>
    >> b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html)
    >> are
    >> not being authenticated.
    >>
    >> Solved by adding ".*" extension mapping to ASP.NET
    >>
    >>
    >> c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
    >>
    >> 1.. .* - is not recognized as valid extension
    >>
    >> 2.. After mapping .htm to ASP.NET - .htm pages are not served
    >> anymore.
    >> a.. Browser shows completely blank page
    >> b.. HTTP Watch tracks ERROR_HTTP_INVALID_SERVER_RESPONSE error
    >> code,
    >> response stream is empty
    >> c.. IIS log on the server gives error code 200, i.e. OK
    >> Any ideas to configure this correctly under WinSrv 2003?
    >>
    >> Or probably there is some other better way to imlement custom
    >> authentication
    >> instead of FormsAuthentication?
    >>
    >>
    >>
    >> Best regards,
    >>
    >> Sergey.
    >>
    >>
    >>
     
    Sergey V, Jul 18, 2006
    #3
  4. Re: Authentication of requests to *.htm resources via FormsAuthenticat

    The standard way to do this is to map the extensions you want served by
    ASP.NET to ASP.NET in the script mappings in IIS (or just use a wildcard
    map). Then, in your web.config file, you map the static file extensions to
    the StaticFileHandler in the httpHandlers config section.

    There are some drawbacks to doing this, but it will work for the most part.

    IIS 7 makes this super easy.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Sergey V" <> wrote in message
    news:uJyo$...
    > Yes,
    >
    > this will work for *.htm files - though we have plenty of them in legacy
    > site. And proper configuration of the site will make much less headache.
    >
    > But what about *.doc and *.xls files? The question is about any resource
    > within protected folders in general.
    >
    > "clickon" <> wrote in message
    > news:D...
    >> Why not just rename the .htm files as .aspx files?
    >>
    >> "Sergey V" wrote:
    >>
    >>> Hi,
    >>>
    >>> I need to cover by custom authentication algorithm both ASP.NET and
    >>> other
    >>> resources within the site.
    >>> FormsAuthentication covers only resources beeing handled by ASP.NET.
    >>> Other
    >>> generic resources can be retrieved without beeing logged on.
    >>>
    >>> I'm trying to configure the site to handle all resources via ASP.NET. Is
    >>> it
    >>> possible?
    >>>
    >>> My results are
    >>>
    >>> a.. Things are working OK under .NET 2.0 Development Server (started
    >>> from
    >>> Visual Studio 2005)
    >>>
    >>>
    >>> b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html)
    >>> are
    >>> not being authenticated.
    >>>
    >>> Solved by adding ".*" extension mapping to ASP.NET
    >>>
    >>>
    >>> c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
    >>>
    >>> 1.. .* - is not recognized as valid extension
    >>>
    >>> 2.. After mapping .htm to ASP.NET - .htm pages are not served
    >>> anymore.
    >>> a.. Browser shows completely blank page
    >>> b.. HTTP Watch tracks ERROR_HTTP_INVALID_SERVER_RESPONSE error
    >>> code,
    >>> response stream is empty
    >>> c.. IIS log on the server gives error code 200, i.e. OK
    >>> Any ideas to configure this correctly under WinSrv 2003?
    >>>
    >>> Or probably there is some other better way to imlement custom
    >>> authentication
    >>> instead of FormsAuthentication?
    >>>
    >>>
    >>>
    >>> Best regards,
    >>>
    >>> Sergey.
    >>>
    >>>
    >>>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 18, 2006
    #4
  5. Sergey V

    Sergey V Guest

    Re: Authentication of requests to *.htm resources via FormsAuthenticat

    Thanks Joe,

    adding following to web.config really helps.

    <system.web>
    <httpHandlers>
    <add path="*.htm" verb="GET,HEAD"
    type="System.Web.StaticFileHandler" validate="True" />
    </httpHandlers>
    </system.web>

    Can you provide more details about drawbacks? Do not want to have some
    surpises on production site.

    Thanks,
    Sergey.


    PS: MS is very short in his docs as usual.

    Frequently Asked Questions
    http://msdn.microsoft.com/asp.net/support/faq/default.aspx

    Configuring ASP.NET 2.0
    I used the ASP.NET configuration system to restrict access to my ASP.NET
    application, but anonymous users can still view some of my files. Why is
    that?

    The features of the ASP.NET configuration system only apply to ASP.NET
    resources. For example, Forms Authentication only restricts access to
    ASP.NET files, not to static files or ASP (classic) files unless those
    resources are mapped to ASP.NET file name extensions. Use the configuration
    features of IIS to configure non-ASP.NET resources.

    How do we use configuration features of IIS for this purpose? No details.


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > The standard way to do this is to map the extensions you want served by
    > ASP.NET to ASP.NET in the script mappings in IIS (or just use a wildcard
    > map). Then, in your web.config file, you map the static file extensions
    > to the StaticFileHandler in the httpHandlers config section.
    >
    > There are some drawbacks to doing this, but it will work for the most
    > part.
    >
    > IIS 7 makes this super easy.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Sergey V" <> wrote in message
    > news:uJyo$...
    >> Yes,
    >>
    >> this will work for *.htm files - though we have plenty of them in legacy
    >> site. And proper configuration of the site will make much less headache.
    >>
    >> But what about *.doc and *.xls files? The question is about any resource
    >> within protected folders in general.
    >>
    >> "clickon" <> wrote in message
    >> news:D...
    >>> Why not just rename the .htm files as .aspx files?
    >>>
    >>> "Sergey V" wrote:
    >>>
    >>>> Hi,
    >>>>
    >>>> I need to cover by custom authentication algorithm both ASP.NET and
    >>>> other
    >>>> resources within the site.
    >>>> FormsAuthentication covers only resources beeing handled by ASP.NET.
    >>>> Other
    >>>> generic resources can be retrieved without beeing logged on.
    >>>>
    >>>> I'm trying to configure the site to handle all resources via ASP.NET.
    >>>> Is it
    >>>> possible?
    >>>>
    >>>> My results are
    >>>>
    >>>> a.. Things are working OK under .NET 2.0 Development Server (started
    >>>> from
    >>>> Visual Studio 2005)
    >>>>
    >>>>
    >>>> b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm,
    >>>> *.html) are
    >>>> not being authenticated.
    >>>>
    >>>> Solved by adding ".*" extension mapping to ASP.NET
    >>>>
    >>>>
    >>>> c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
    >>>>
    >>>> 1.. .* - is not recognized as valid extension
    >>>>
    >>>> 2.. After mapping .htm to ASP.NET - .htm pages are not served
    >>>> anymore.
    >>>> a.. Browser shows completely blank page
    >>>> b.. HTTP Watch tracks ERROR_HTTP_INVALID_SERVER_RESPONSE error
    >>>> code,
    >>>> response stream is empty
    >>>> c.. IIS log on the server gives error code 200, i.e. OK
    >>>> Any ideas to configure this correctly under WinSrv 2003?
    >>>>
    >>>> Or probably there is some other better way to imlement custom
    >>>> authentication
    >>>> instead of FormsAuthentication?
    >>>>
    >>>>
    >>>>
    >>>> Best regards,
    >>>>
    >>>> Sergey.
    >>>>
    >>>>
    >>>>

    >>
    >>

    >
    >
     
    Sergey V, Jul 18, 2006
    #5
  6. Re: Authentication of requests to *.htm resources via FormsAuthenticat

    Hi,

    on IIS 6 just add a wildcard mapping for ASP.NET - that's on the same dialog
    where you add individual mappings -

    add an entry that points to the 2.0 aspnet_isapi.dll - also uncheck "verify
    that file exists"

    afterwards you should remove the individual mappings, you also don't need
    any handler mapped to .htm in web.config then.


    this makes ASP.NET handle all requests in a very efficient fashion.

    I don't see any drawback here.

    dominick


    > The standard way to do this is to map the extensions you want served
    > by ASP.NET to ASP.NET in the script mappings in IIS (or just use a
    > wildcard map). Then, in your web.config file, you map the static file
    > extensions to the StaticFileHandler in the httpHandlers config
    > section.
    >
    > There are some drawbacks to doing this, but it will work for the most
    > part.
    >
    > IIS 7 makes this super easy.
    >
    > Joe K.
    >
     
    Dominick Baier, Jul 18, 2006
    #6
  7. Re: Authentication of requests to *.htm resources via FormsAuthenticat

    The drawbacks that I'm aware of are that it is much slower to route things
    through ASP.NET that IIS could have handled directly. If performance is an
    issue, you might want to test in this scenario and make sure you are still
    meeting your stated perf goals.

    As I recall, there is another functional drawback, but I can't actually
    remember what it is. :) I don't think it is a major issue though. I'm
    basically agreed with Dominick on this one.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Sergey V" <> wrote in message
    news:...
    > Thanks Joe,
    >
    > adding following to web.config really helps.
    >
    > <system.web>
    > <httpHandlers>
    > <add path="*.htm" verb="GET,HEAD"
    > type="System.Web.StaticFileHandler" validate="True" />
    > </httpHandlers>
    > </system.web>
    >
    > Can you provide more details about drawbacks? Do not want to have some
    > surpises on production site.
    >
    > Thanks,
    > Sergey.
    >
    >
    > PS: MS is very short in his docs as usual.
    >
    > Frequently Asked Questions
    > http://msdn.microsoft.com/asp.net/support/faq/default.aspx
    >
    > Configuring ASP.NET 2.0
    > I used the ASP.NET configuration system to restrict access to my ASP.NET
    > application, but anonymous users can still view some of my files. Why is
    > that?
    >
    > The features of the ASP.NET configuration system only apply to ASP.NET
    > resources. For example, Forms Authentication only restricts access to
    > ASP.NET files, not to static files or ASP (classic) files unless those
    > resources are mapped to ASP.NET file name extensions. Use the
    > configuration features of IIS to configure non-ASP.NET resources.
    >
    > How do we use configuration features of IIS for this purpose? No details.
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> The standard way to do this is to map the extensions you want served by
    >> ASP.NET to ASP.NET in the script mappings in IIS (or just use a wildcard
    >> map). Then, in your web.config file, you map the static file extensions
    >> to the StaticFileHandler in the httpHandlers config section.
    >>
    >> There are some drawbacks to doing this, but it will work for the most
    >> part.
    >>
    >> IIS 7 makes this super easy.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Sergey V" <> wrote in message
    >> news:uJyo$...
    >>> Yes,
    >>>
    >>> this will work for *.htm files - though we have plenty of them in legacy
    >>> site. And proper configuration of the site will make much less headache.
    >>>
    >>> But what about *.doc and *.xls files? The question is about any resource
    >>> within protected folders in general.
    >>>
    >>> "clickon" <> wrote in message
    >>> news:D...
    >>>> Why not just rename the .htm files as .aspx files?
    >>>>
    >>>> "Sergey V" wrote:
    >>>>
    >>>>> Hi,
    >>>>>
    >>>>> I need to cover by custom authentication algorithm both ASP.NET and
    >>>>> other
    >>>>> resources within the site.
    >>>>> FormsAuthentication covers only resources beeing handled by ASP.NET.
    >>>>> Other
    >>>>> generic resources can be retrieved without beeing logged on.
    >>>>>
    >>>>> I'm trying to configure the site to handle all resources via ASP.NET.
    >>>>> Is it
    >>>>> possible?
    >>>>>
    >>>>> My results are
    >>>>>
    >>>>> a.. Things are working OK under .NET 2.0 Development Server (started
    >>>>> from
    >>>>> Visual Studio 2005)
    >>>>>
    >>>>>
    >>>>> b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm,
    >>>>> *.html) are
    >>>>> not being authenticated.
    >>>>>
    >>>>> Solved by adding ".*" extension mapping to ASP.NET
    >>>>>
    >>>>>
    >>>>> c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
    >>>>>
    >>>>> 1.. .* - is not recognized as valid extension
    >>>>>
    >>>>> 2.. After mapping .htm to ASP.NET - .htm pages are not served
    >>>>> anymore.
    >>>>> a.. Browser shows completely blank page
    >>>>> b.. HTTP Watch tracks ERROR_HTTP_INVALID_SERVER_RESPONSE error
    >>>>> code,
    >>>>> response stream is empty
    >>>>> c.. IIS log on the server gives error code 200, i.e. OK
    >>>>> Any ideas to configure this correctly under WinSrv 2003?
    >>>>>
    >>>>> Or probably there is some other better way to imlement custom
    >>>>> authentication
    >>>>> instead of FormsAuthentication?
    >>>>>
    >>>>>
    >>>>>
    >>>>> Best regards,
    >>>>>
    >>>>> Sergey.
    >>>>>
    >>>>>
    >>>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 18, 2006
    #7
  8. Re: Authentication of requests to *.htm resources via FormsAuthenticat

    the perf drawback is in 1.1 and IIS5

    In 2.0 they use a new feature that bounces back requests in HandlerExecute
    to IIS6 to serve them

    Pre and Post Events still run - which is kinda close to whats happening in
    IIS 7.

    dominick


    > The drawbacks that I'm aware of are that it is much slower to route
    > things through ASP.NET that IIS could have handled directly. If
    > performance is an issue, you might want to test in this scenario and
    > make sure you are still meeting your stated perf goals.
    >
    > As I recall, there is another functional drawback, but I can't
    > actually remember what it is. :) I don't think it is a major issue
    > though. I'm basically agreed with Dominick on this one.
    >
    > Joe K.
    >
     
    Dominick Baier, Jul 18, 2006
    #8
  9. Re: Authentication of requests to *.htm resources via FormsAuthenticat

    Cool, good to know.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > the perf drawback is in 1.1 and IIS5
    >
    > In 2.0 they use a new feature that bounces back requests in HandlerExecute
    > to IIS6 to serve them
    >
    > Pre and Post Events still run - which is kinda close to whats happening in
    > IIS 7.
    >
    > dominick
     
    Joe Kaplan \(MVP - ADSI\), Jul 18, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. lh
    Replies:
    2
    Views:
    477
  2. Fernando Arámburu

    web requests and mobile requests

    Fernando Arámburu, Apr 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    473
    Joerg Jooss
    Apr 8, 2005
  3. Kamil P
    Replies:
    1
    Views:
    153
    Jim Cheshire [MSFT]
    Nov 10, 2004
  4. Sergey V
    Replies:
    8
    Views:
    194
    Joe Kaplan \(MVP - ADSI\)
    Jul 18, 2006
  5. Replies:
    6
    Views:
    188
    Dr.Ruud
    Feb 6, 2007
Loading...

Share This Page