HttpHandler not overriding security

[Guest]

I have an HttpHandler installed on a server in the GAC that I want to grant
public access to across all sites on the server. The problem I have is that
some sites use forms authentication. For these sites I need to override the
security of the public URLs using the GLOBAL web.config file.

When I try to grant anonymous access to a site that uses forms
authentication using the local web.config file it works fine. Example:
<location path="showASPXVersion.ashx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>

But since this is a hosted environment I don't have access to the web.config
on each and every app. What I tried to do is add this to the GLOBAL
web.config:
<location path="showASPXVersion.ashx" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>

While this does not throw an error, it also does not work. Is there a way
to force this page to always be allowed via anonymous access while still
allowing the various applications to use their authentication mechanism of
choice?

More info:
- showASPXVersion.ashx is registered in the GLOBAL web.config and functions
properly for all sites that are configured w/o forms authentication
- the compiled binary for showASPXVersion exists in the GAC

Thanks!

 

[Walter Wang [MSFT]]

Hi Kevin,

Welcome to MSDN Managed Newsgroup!

Based on my understanding, the issue is that you're not able to override a
child web site's web.config settings in machine-wide web.config using
<location> element. It's actually not related to http handler, since
following simple test can reproduce the issue you described:

1) Add following xml snippet in machine-wide web.config:

<location path="Anonymous.aspx" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>

2) In a web site that is using Forms authentication and denies anonymous
user:

<authentication mode="Forms" >
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>

3) Create a web page "Anonymous.aspx" in the web site and visit it in web
browser, it still redirects to the Logon.aspx.

4) This issue also doesn't only exist in Forms authentication mode, if
you're using Windows authentication mode, I believe the user account is
automatically used; if you print Request.IsAuthenticated in Anonymous.aspx,
you will find it's True.

5) If we put the <location> xml snipeet in step 1) to the web site's
web.config, you find it's working correctly.


Therefore the issue seems that <location> element setting in machine-wide
web.config doesn't overrides the web.config in individual web site.

Currently I'm consulting this question in our internal discussion list with
product team, I'll let you know the result as soon as possible. Thank you
for your patience and understanding.

By the way, I saw that you've posted some posts and somehow they're not
captured in our internal tool system, therefore they're not replied by MSFT
employees. This might be your email alias is not activated or recogonized
at that time. We're sorry for the inconvenience caused. Anyway, since your
account is setup correctly now, would you please post those questions again
so that our tool can recogonize correctly? Thanks.

Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Hi Kevin,

Sorry for deplayed reply. I was discussing this question with product team.

The behavior you're seeing is expected due to current design of ASP.NET.
We're sorry for the inconvenience. If you think this is important for your
project, please feel free to submit your feedback at
http://connect.microsoft.com/Main/content/content.aspx?ContentID=2220 so
that product team will know how common is this request and will consider to
improve it in future version.

For now, I'm sorry I didn't find any workaround to let you override each
web site's security settings in global web.config.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Hi Kevin,

Since I haven't seen your reply to my message, I'm wondering if you have
seen them or not. Would you please reply here to let me know the status?
Also, please feel free to let me know if there's anything else I can help.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Kevin,

Thanks for the follow-up. Yes I've reported this to product team and
they're aware of such requirement now.

Have a nice day!

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.