File Types not protected by Forms Authentication

Discussion in 'ASP .Net Security' started by MatthewRoberts, Jun 17, 2005.

  1. Howdy All,

    We have an ASP.NET web application that uses Forms Authentication and
    has worked without problems for some time.

    However, we recently added a Shockwave SWF file to the mix for flash
    and interactivity.

    All ASPX, HTML, and other web files are protected by security. If you
    are not properly authenticated but try to access an ASPX or HTML file,
    you will be redirected to the Login page.

    However, if you try to access the SWF file directly, it allows you to
    view the animation without ever authenticating the user.

    Why is this? Are only certain file types protected for Forms
    Authentication? How can you add to that list of file types? Is it a
    MIME type or file extension we should be securing through IIS in some
    way?

    We even tried adding the following to the web.config file:


    <location path="OurAnimation.swf">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>


    such that it should explicitly deny all anonymous, or unauthenticated
    users. But still, this did not work, and direct access to the file is
    allowed by anyone.

    Can anyone shed some light on this issue?

    Thank you in advance for whatever help you can provide.

    Matthew Roberts
    SOURCECORP
    Framework Architect
     
    MatthewRoberts, Jun 17, 2005
    #1
    1. Advertising

  2. MatthewRoberts

    Brock Allen Guest

    The reason is that IIS handles the requests for those files, not ASP.NET,
    and IIS knows nothing about your intent from web.config. You'd have to route
    that file extension through the aspnet_isapi.dll in IIS to have ASP.NET serve
    it up.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > Howdy All,
    >
    > We have an ASP.NET web application that uses Forms Authentication and
    > has worked without problems for some time.
    >
    > However, we recently added a Shockwave SWF file to the mix for flash
    > and interactivity.
    >
    > All ASPX, HTML, and other web files are protected by security. If you
    > are not properly authenticated but try to access an ASPX or HTML file,
    > you will be redirected to the Login page.
    >
    > However, if you try to access the SWF file directly, it allows you to
    > view the animation without ever authenticating the user.
    >
    > Why is this? Are only certain file types protected for Forms
    > Authentication? How can you add to that list of file types? Is it a
    > MIME type or file extension we should be securing through IIS in some
    > way?
    >
    > We even tried adding the following to the web.config file:
    >
    > <location path="OurAnimation.swf">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    > such that it should explicitly deny all anonymous, or unauthenticated
    > users. But still, this did not work, and direct access to the file is
    > allowed by anyone.
    >
    > Can anyone shed some light on this issue?
    >
    > Thank you in advance for whatever help you can provide.
    >
    > Matthew Roberts
    > SOURCECORP
    > Framework Architect
     
    Brock Allen, Jun 17, 2005
    #2
    1. Advertising

  3. The asp.net handlers only kick in for files mapped to it in IIS, so it
    suggests extensions for swf are not handled by the asp.net dll and need to
    be. Go to IIS setup and check the file types.

    --
    Regards

    John Timney
    ASP.NET MVP
    Microsoft Regional Director

    "MatthewRoberts" <> wrote in message
    news:...
    > Howdy All,
    >
    > We have an ASP.NET web application that uses Forms Authentication and
    > has worked without problems for some time.
    >
    > However, we recently added a Shockwave SWF file to the mix for flash
    > and interactivity.
    >
    > All ASPX, HTML, and other web files are protected by security. If you
    > are not properly authenticated but try to access an ASPX or HTML file,
    > you will be redirected to the Login page.
    >
    > However, if you try to access the SWF file directly, it allows you to
    > view the animation without ever authenticating the user.
    >
    > Why is this? Are only certain file types protected for Forms
    > Authentication? How can you add to that list of file types? Is it a
    > MIME type or file extension we should be securing through IIS in some
    > way?
    >
    > We even tried adding the following to the web.config file:
    >
    >
    > <location path="OurAnimation.swf">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    >
    >
    > such that it should explicitly deny all anonymous, or unauthenticated
    > users. But still, this did not work, and direct access to the file is
    > allowed by anyone.
    >
    > Can anyone shed some light on this issue?
    >
    > Thank you in advance for whatever help you can provide.
    >
    > Matthew Roberts
    > SOURCECORP
    > Framework Architect
    >
     
    John Timney \(ASP.NET MVP\), Jun 17, 2005
    #3
  4. MatthewRoberts

    Karl Seguin Guest

    There's a pipeline. A request comes into IIS, IIS figures out how to handle
    the request. when the page is an aspx, asmx, adx (various others) IIS
    passes the request to ASP.Net. When the page is a swf, IIS simply streams
    the contents back to the browser and let's it figure out what to do.

    In other words, ASP.Net isn't in play when a request happens for a swf
    file....so obviously forms authentication can't do anything. Two solutions
    frequently recommended are to (a) make asp.net process requests for swf
    files
    (http://www.dotnetjunkies.com/Article/F32DFC79-3AE7-4D9D-BF1D-91B4B6D130C7.dcik)
    or (b) store the .swf file out of your web path and use an aspx file to
    stream it, ala showFile.aspx?fileName=someFile.swf which would take the
    fileName, and stream the binary file to the user...

    Karl

    --
    MY ASP.Net tutorials
    http://www.openmymind.net/ - New and Improved (yes, the popup is
    annoying)
    http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
    come!)
    "MatthewRoberts" <> wrote in message
    news:...
    > Howdy All,
    >
    > We have an ASP.NET web application that uses Forms Authentication and
    > has worked without problems for some time.
    >
    > However, we recently added a Shockwave SWF file to the mix for flash
    > and interactivity.
    >
    > All ASPX, HTML, and other web files are protected by security. If you
    > are not properly authenticated but try to access an ASPX or HTML file,
    > you will be redirected to the Login page.
    >
    > However, if you try to access the SWF file directly, it allows you to
    > view the animation without ever authenticating the user.
    >
    > Why is this? Are only certain file types protected for Forms
    > Authentication? How can you add to that list of file types? Is it a
    > MIME type or file extension we should be securing through IIS in some
    > way?
    >
    > We even tried adding the following to the web.config file:
    >
    >
    > <location path="OurAnimation.swf">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    >
    >
    > such that it should explicitly deny all anonymous, or unauthenticated
    > users. But still, this did not work, and direct access to the file is
    > allowed by anyone.
    >
    > Can anyone shed some light on this issue?
    >
    > Thank you in advance for whatever help you can provide.
    >
    > Matthew Roberts
    > SOURCECORP
    > Framework Architect
    >
     
    Karl Seguin, Jun 17, 2005
    #4
  5. Thank you for the quick response. Works like a charm.

    Matthew
     
    MatthewRoberts, Jun 17, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,566
    Tommy
    Feb 13, 2004
  2. MatthewRoberts
    Replies:
    4
    Views:
    902
    MatthewRoberts
    Jun 17, 2005
  3. RMA
    Replies:
    4
    Views:
    326
    Alexey Smirnov
    May 15, 2007
  4. Alan Silver
    Replies:
    0
    Views:
    397
    Alan Silver
    Feb 27, 2008
  5. Eric
    Replies:
    2
    Views:
    647
Loading...

Share This Page