Forms authentication and downloading files

Discussion in 'ASP .Net Security' started by Michael Tissington, Oct 9, 2003.

  1. How can I use Forms Authentication to give clients access to download
    specific exe files?

    Thanks.

    --
    Michael Tissington
    http://www.oaklodge.com
    Michael Tissington, Oct 9, 2003
    #1
    1. Advertising

  2. Michael Tissington

    Lauchlan M Guest

    > How can I use Forms Authentication to give clients access to download
    > specific exe files?
    >
    > Thanks.


    I answered this in your other thread.

    Lauchlan M
    Lauchlan M, Oct 9, 2003
    #2
    1. Advertising

  3. Well it does not quite work ... of course I maybe doing something wrong :)

    Before I add the mapping ASP.NET security does nothing and I can download
    the file.
    After I add the mapping then the Forms Authentication works. HOWEVER the
    file is NOT downloaded, I simply get a blank page ...

    Any ideas please.

    --
    Michael Tissington
    http://www.oaklodge.com


    "Lauchlan M" <> wrote in message
    news:%...
    > > How can I use Forms Authentication to give clients access to download
    > > specific exe files?
    > >
    > > Thanks.

    >
    > I answered this in your other thread.
    >
    > Lauchlan M
    >
    >
    Michael Tissington, Oct 9, 2003
    #3
  4. Michael Tissington

    Lauchlan M Guest

    > Before I add the mapping ASP.NET security does nothing and I can download
    > the file.
    > After I add the mapping then the Forms Authentication works. HOWEVER the
    > file is NOT downloaded, I simply get a blank page ...


    Well, that's working then! <g>

    What do you want it to do? You don't want it to go the requested resource,
    because they don't have permission for it. I don't want to spend the time
    looking this up for you, but I expect you would have to generate/handle some
    sort of error code (like 404 page not found, but something custom) and
    provide a page to tell the user they did not have access to that page. Or
    you log them out, or redirect them to the home page, or whatever you want to
    do.

    Maybe you might want to ask on one of the MS IIS newgroups as well, since it
    is much an IIS question as an ASP.NET one.

    FWIW, I handle this in one of the globa.asax methods (ie before the page is
    loaded), and if they are trying to access a resource they don't have
    permissions for, I log them out and bounce them back to the login page, with
    a message telling them they were getting out of line (not in those words of
    course . . .).

    HTH

    Lauchlan M
    Lauchlan M, Oct 10, 2003
    #4
  5. I think I might not have been clear ....

    After I have done the mapping then the exe file is only available after they
    have logged in. However I want them to be able to download the EXE and
    instead all they get is a blank page ...

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com


    "Lauchlan M" <> wrote in message
    news:...
    > > Before I add the mapping ASP.NET security does nothing and I can

    download
    > > the file.
    > > After I add the mapping then the Forms Authentication works. HOWEVER the
    > > file is NOT downloaded, I simply get a blank page ...

    >
    > Well, that's working then! <g>
    >
    > What do you want it to do? You don't want it to go the requested resource,
    > because they don't have permission for it. I don't want to spend the time
    > looking this up for you, but I expect you would have to generate/handle

    some
    > sort of error code (like 404 page not found, but something custom) and
    > provide a page to tell the user they did not have access to that page. Or
    > you log them out, or redirect them to the home page, or whatever you want

    to
    > do.
    >
    > Maybe you might want to ask on one of the MS IIS newgroups as well, since

    it
    > is much an IIS question as an ASP.NET one.
    >
    > FWIW, I handle this in one of the globa.asax methods (ie before the page

    is
    > loaded), and if they are trying to access a resource they don't have
    > permissions for, I log them out and bounce them back to the login page,

    with
    > a message telling them they were getting out of line (not in those words

    of
    > course . . .).
    >
    > HTH
    >
    > Lauchlan M
    >
    >
    Michael Tissington, Oct 10, 2003
    #5
  6. Michael Tissington

    Lauchlan M Guest


    > I think I might not have been clear ....
    >
    > After I have done the mapping then the exe file is only available after

    they
    > have logged in. However I want them to be able to download the EXE and
    > instead all they get is a blank page ...


    I don't know. Try on the IIS group, since this mapping stuff is IIS related.
    Or maybe someone else will chip in.

    Good luck

    Lauchlan M
    Lauchlan M, Oct 10, 2003
    #6
  7. Michael Tissington

    MSFT Guest

    Hi Michael,

    I test following steps on windows server 2003 (IIS 6.0) and they seems to
    be able to resolve the problem.

    In IIS Manager, right click the virtual folder and select
    "Properties/Directory". Click "Configration" button, and then add an
    application extension:

    executable: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll

    extension .exe

    restart IIS. When I input following link in IE:

    Http://localhost/webapplication1/cc.exe

    It will first redirct to the login form and then pop up the download
    dialog. ("webApplication1" has been set with Form Authentication)

    Hope this help,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Oct 10, 2003
    #7
  8. Luke,

    When I do this and I click on my 'exe' link I do get my forms authentication
    page but then I get a blank page, the download of the exe does not happen.

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com


    "MSFT" <> wrote in message
    news:...
    > Hi Michael,
    >
    > I test following steps on windows server 2003 (IIS 6.0) and they seems to
    > be able to resolve the problem.
    >
    > In IIS Manager, right click the virtual folder and select
    > "Properties/Directory". Click "Configration" button, and then add an
    > application extension:
    >
    > executable: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    >
    > extension .exe
    >
    > restart IIS. When I input following link in IE:
    >
    > Http://localhost/webapplication1/cc.exe
    >
    > It will first redirct to the login form and then pop up the download
    > dialog. ("webApplication1" has been set with Form Authentication)
    >
    > Hope this help,
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    Michael Tissington, Oct 10, 2003
    #8
  9. Michael Tissington

    MSFT Guest

    Hi Michael,

    If it is not form authentication, what will happen? And your framework and
    IIS version?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Oct 11, 2003
    #9
  10. If I don't use any authentication then when I click on the link I can
    download the exe.
    With forms authentication, after being authenticated I get a blank page.

    This is running on Windows 2003 (so I assume IIS 6 with the latest
    Framework)

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com


    "MSFT" <> wrote in message
    news:...
    > Hi Michael,
    >
    > If it is not form authentication, what will happen? And your framework and
    > IIS version?
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    Michael Tissington, Oct 11, 2003
    #10
  11. Michael Tissington

    MSFT Guest

    Hi Michael,

    If you create a new virtual folder and test again, will this work? I test
    this on two computers: windows 2000 and 2003, both of work fine. Therefore,
    I suspect if this is related to the configrations on your IIS or web
    application, we may try a little more to ensure this. Additionally, when
    opeing the login page, is redirect link correct in IE's adrress bar?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Oct 13, 2003
    #11
  12. Hello,

    I have created a new virtual folder (before I was trying a real folder).

    Now I can not get past my authentication form - it just keeps in a loop.

    In the IE address bar the redirect link is correct.

    In addition it seems that its is trying to run my exe on the server that its
    trying to download - if I don't give the directory Execute permission then
    when I try to view the page I get an error saying that I'm trying to run a
    CGI or EXE ....

    So why is it trying to run it instead of download it ?

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com


    "MSFT" <> wrote in message
    news:...
    > Hi Michael,
    >
    > If you create a new virtual folder and test again, will this work? I test
    > this on two computers: windows 2000 and 2003, both of work fine.

    Therefore,
    > I suspect if this is related to the configrations on your IIS or web
    > application, we may try a little more to ensure this. Additionally, when
    > opeing the login page, is redirect link correct in IE's adrress bar?
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    Michael Tissington, Oct 13, 2003
    #12
  13. Michael Tissington

    MSFT Guest

    Hi Michael,

    I'm thinking that the following config file might help:

    <!-- web.config -->

    <configuration>

    <system.web>

    <httpHandlers>

    <add verb="*" path="*.exe" type="System.Web.StaticFileHandler"/>

    </httpHandlers>

    </system.web>

    </configuration>


    The StaticFileHandler returns the contents of the document and it may solve
    this problem. You may also check you machine.config and web.config, to see
    if there are some httphandler added before.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Oct 15, 2003
    #13
  14. Thanks!

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com


    "MSFT" <> wrote in message
    news:...
    > Hi Michael,
    >
    > I'm thinking that the following config file might help:
    >
    > <!-- web.config -->
    >
    > <configuration>
    >
    > <system.web>
    >
    > <httpHandlers>
    >
    > <add verb="*" path="*.exe" type="System.Web.StaticFileHandler"/>
    >
    > </httpHandlers>
    >
    > </system.web>
    >
    > </configuration>
    >
    >
    > The StaticFileHandler returns the contents of the document and it may

    solve
    > this problem. You may also check you machine.config and web.config, to see
    > if there are some httphandler added before.
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Michael Tissington, Oct 15, 2003
    #14
  15. Luk,

    OK, I can get it working if I do NOT use a virtual directory in IIS.

    If I create a virtual directory then I can never get past the Forms
    Authentication page.
    It authenticates and then displays they logon page again and again ...

    Any idea what would be causing this?

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com


    "MSFT" <> wrote in message
    news:...
    > Hi Michael,
    >
    > I'm thinking that the following config file might help:
    >
    > <!-- web.config -->
    >
    > <configuration>
    >
    > <system.web>
    >
    > <httpHandlers>
    >
    > <add verb="*" path="*.exe" type="System.Web.StaticFileHandler"/>
    >
    > </httpHandlers>
    >
    > </system.web>
    >
    > </configuration>
    >
    >
    > The StaticFileHandler returns the contents of the document and it may

    solve
    > this problem. You may also check you machine.config and web.config, to see
    > if there are some httphandler added before.
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Michael Tissington, Oct 16, 2003
    #15
  16. Michael Tissington

    MSFT Guest

    Hi Michael,

    If we didn't create a virtual folder, it also wouldn't cause the form
    authentication. You can try to add the handler suggested in my previous
    post, to see if it will hep. Addtionally, you may try to download a .dat
    file (also add application extension for .data in IIS) to see if it will
    generate same problem.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Oct 17, 2003
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,407
    Tommy
    Feb 13, 2004
  2. Kamil P
    Replies:
    1
    Views:
    125
    Jim Cheshire [MSFT]
    Nov 10, 2004
  3. Eric
    Replies:
    2
    Views:
    467
  4. Iain
    Replies:
    1
    Views:
    119
  5. thehercman
    Replies:
    0
    Views:
    113
    thehercman
    Jan 20, 2006
Loading...

Share This Page