Forms-Based Authentiction and NON ASP.NET Assets

Discussion in 'ASP .Net Security' started by Alex Maghen, Feb 20, 2005.

  1. Alex Maghen

    Alex Maghen Guest

    I have a feeling you're gonna say no but, is there any way, with ASP.NET
    Forms-Based Authentication, to protect access to NON ASP.NET objects? For
    example, if I have a directory that has .ASPX files AND, say, JPEG files
    (.jpg), it would appear that if the user has the URL to one of the JPEGs, he
    can still come back any time and download it without being sent to the Login
    page. I assume this is because, for a JPEG file, ASP.NET is not involved at
    all in the whole IIS loop.

    Right?

    Alex
     
    Alex Maghen, Feb 20, 2005
    #1
    1. Advertising

  2. Alex Maghen

    Geir Aamodt Guest

    Alex,

    you are correct....

    .......5 minutes later

    I found the following, see snippet below, at
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMGlance.asp

    I have not tested it yet, but it might be possible to add a new verb like:
    <add verb="*" path="*.jpeg" type="System.Web.HttpForbiddenHandler" />

    As I said, not sure if this will work, migth be worth a try.

    If it does not work, you're still correct Alex

    --

    Best regards,
    Geir Aamodt
    geir.aamodt(AT)bekk.no

    ----------------Snippet start----------------
    Map Protected Resources to HttpForbiddenHandler
    HTTP handlers are located in Machine.config beneath the <httpHandlers>
    element. HTTP handlers are responsible for processing Web requests for
    specific file extensions. Remoting should not be enabled on front-end Web
    servers; enable Remoting only on middle-tier application servers that are
    isolated from the Internet.

    a.. The following file extensions are mapped in Machine.config to HTTP
    handlers:
    b.. .aspx is used for ASP.NET pages.
    c.. .rem and .soap are used for Remoting.
    d.. .asmx is used for Web Services.
    e.. .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp,
    ..licx, .resx, and .resources are protected resources and are mapped to
    System.Web.HttpForbiddenHandler.
    For .NET Framework resources, if you do not use a file extension, then map
    the extension to System.Web.HttpForbiddenHandler in Machine.config, as shown
    in the following example:

    <add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler" />
    In this case, the .vbproj file extension is mapped to
    System.Web.HttpForbiddenHandler. If a client requests a path that ends with
    ..vbproj, then ASP.NET returns a message that states "This type of page is
    not served."

    The following guidelines apply to handling .NET Framework file extensions:

    a.. Map extensions you do not use to HttpForbiddenHandler. If you do not
    serve ASP.NET pages, then map .aspx to HttpForbiddenHandler. If you do not
    use Web Services, then map .asmx to HttpForbiddenHandler.
    b.. Disable Remoting on Internet-facing Web servers. Map remoting
    extensions (.soap and .rem) on Internet-facing Web servers to
    HttpForbiddenHandler.
    ----------------Snippet end----------------



    "Alex Maghen" <> wrote in message
    news:...
    >I have a feeling you're gonna say no but, is there any way, with ASP.NET
    > Forms-Based Authentication, to protect access to NON ASP.NET objects? For
    > example, if I have a directory that has .ASPX files AND, say, JPEG files
    > (.jpg), it would appear that if the user has the URL to one of the JPEGs,
    > he
    > can still come back any time and download it without being sent to the
    > Login
    > page. I assume this is because, for a JPEG file, ASP.NET is not involved
    > at
    > all in the whole IIS loop.
    >
    > Right?
    >
    > Alex
     
    Geir Aamodt, Feb 21, 2005
    #2
    1. Advertising

  3. Alex Maghen

    IPGrunt Guest

    On 20 Feb 2005, "=?Utf-8?B?QWxleCBNYWdoZW4=?="
    <> postulated in news:CEF1ED71-
    :

    > I have a feeling you're gonna say no but, is there any way, with

    ASP.NET
    > Forms-Based Authentication, to protect access to NON ASP.NET objects?

    For
    > example, if I have a directory that has .ASPX files AND, say, JPEG

    files
    > (.jpg), it would appear that if the user has the URL to one of the

    JPEGs, he
    > can still come back any time and download it without being sent to

    the Login
    > page. I assume this is because, for a JPEG file, ASP.NET is not

    involved at
    > all in the whole IIS loop.
    >
    > Right?
    >
    > Alex


    It's an interesting problem that I may have to solve myself for access
    to other types of files, like PDFs, in a pay-for-access document
    control system I need to design for a client.

    IIS and Windows ACLS determine who gets access to a website folder.

    You'd have to investigate impersonation in ASP.NET, but I can imagine a
    design where the default IIS account doesn't have access to JPG files
    in a certain folder, but the entity impersonated by your ASP.NET app
    does.

    Another approach might be through ISAPI filters, though these are
    different with IIS6.0 and IIS5.1 and I'd have to solve the problem on
    two different platforms.

    Is this a real problem you're trying to solve, or are you just what-if-
    ing.

    -- ipgrunt
     
    IPGrunt, Feb 21, 2005
    #3
  4. Alex Maghen

    WJ Guest

    If these objects/files are sensitive, the safest way to store them is
    "database" in the form of "image". I do this for documents and images. They
    work OK.

    John

    "Alex Maghen" <> wrote in message
    news:...
    >I have a feeling you're gonna say no but, is there any way, with ASP.NET
    > Forms-Based Authentication, to protect access to NON ASP.NET objects? For
    > example, if I have a directory that has .ASPX files AND, say, JPEG files
    > (.jpg), it would appear that if the user has the URL to one of the JPEGs,
    > he
    > can still come back any time and download it without being sent to the
    > Login
    > page. I assume this is because, for a JPEG file, ASP.NET is not involved
    > at
    > all in the whole IIS loop.
    >
    > Right?
    >
    > Alex
     
    WJ, Feb 21, 2005
    #4
  5. Alex Maghen

    ranganh Guest

    Hi,

    You can use Forms Authentication and deny access to PDF and for that matter
    any static files that are handled by IIS with a simple configuration of the
    IIS Configuration Manager settings.

    Please check
    http://aspnet_harish.blogspot.com/2004/07/securing-pdfs-docs-in-forms.html

    Thanks.

    "IPGrunt" wrote:

    > On 20 Feb 2005, "=?Utf-8?B?QWxleCBNYWdoZW4=?="
    > <> postulated in news:CEF1ED71-
    > :
    >
    > > I have a feeling you're gonna say no but, is there any way, with

    > ASP.NET
    > > Forms-Based Authentication, to protect access to NON ASP.NET objects?

    > For
    > > example, if I have a directory that has .ASPX files AND, say, JPEG

    > files
    > > (.jpg), it would appear that if the user has the URL to one of the

    > JPEGs, he
    > > can still come back any time and download it without being sent to

    > the Login
    > > page. I assume this is because, for a JPEG file, ASP.NET is not

    > involved at
    > > all in the whole IIS loop.
    > >
    > > Right?
    > >
    > > Alex

    >
    > It's an interesting problem that I may have to solve myself for access
    > to other types of files, like PDFs, in a pay-for-access document
    > control system I need to design for a client.
    >
    > IIS and Windows ACLS determine who gets access to a website folder.
    >
    > You'd have to investigate impersonation in ASP.NET, but I can imagine a
    > design where the default IIS account doesn't have access to JPG files
    > in a certain folder, but the entity impersonated by your ASP.NET app
    > does.
    >
    > Another approach might be through ISAPI filters, though these are
    > different with IIS6.0 and IIS5.1 and I'd have to solve the problem on
    > two different platforms.
    >
    > Is this a real problem you're trying to solve, or are you just what-if-
    > ing.
    >
    > -- ipgrunt
    >
     
    ranganh, Feb 22, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. RC
    Replies:
    1
    Views:
    411
    mortb
    Nov 11, 2004
  2. godwin
    Replies:
    0
    Views:
    437
    godwin
    Mar 23, 2005
  3. slinky
    Replies:
    2
    Views:
    699
    Alexey Smirnov
    Aug 10, 2007
  4. Cy Huckaba
    Replies:
    1
    Views:
    122
  5. gal harth
    Replies:
    2
    Views:
    176
    andrew mcelroy
    May 23, 2011
Loading...

Share This Page