Securing a directory and its files with forms authentication

Discussion in 'ASP .Net Security' started by Frank, Apr 15, 2008.

  1. Frank

    Frank Guest

    I have a simple asp.net 2.0 application that includes two components:

    - a file uploader
    - a lister of files that have been uploaded

    Files are word processing documents; they get stored to a "papers"
    subdirectory of the application.

    It would be good if both the file lister *and* the files in "papers"
    were secured. But I sense that IIS and asp.net do not work together
    to protect documents that aren't aspx files.. For example, I put an
    index.html file into the papers directory, and asked IIS for that
    document, and was happily sent the document. This, despite a
    <location path="papers"> section in my web.config that includes <deny
    users="?" />.

    I know how to secure a directory with IIS. What I didn't want to do
    was secure both the listing.aspx component *and* the papers
    directory. I suppose another approach would be to put the lister.aspx
    file into the papers directory and secure the directory with IIS and
    forget the authentication in asp.net. But that seems wrong.

    So, maybe someone could tell me where my thinking's gone wrong.

    Thank you very much.
     
    Frank, Apr 15, 2008
    #1
    1. Advertising

  2. Hi,

    you have to map the file extensions you want to protect to the ASP.NET ISAPI
    DLL

    Go to IIS application properties and have a look to which DLL the .aspx extension
    is mapped - now do the same for your docs.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I have a simple asp.net 2.0 application that includes two components:
    >
    > - a file uploader
    > - a lister of files that have been uploaded
    > Files are word processing documents; they get stored to a "papers"
    > subdirectory of the application.
    >
    > It would be good if both the file lister *and* the files in "papers"
    > were secured. But I sense that IIS and asp.net do not work together
    > to protect documents that aren't aspx files.. For example, I put an
    > index.html file into the papers directory, and asked IIS for that
    > document, and was happily sent the document. This, despite a
    > <location path="papers"> section in my web.config that includes <deny
    > users="?" />.
    >
    > I know how to secure a directory with IIS. What I didn't want to do
    > was secure both the listing.aspx component *and* the papers
    > directory. I suppose another approach would be to put the lister.aspx
    > file into the papers directory and secure the directory with IIS and
    > forget the authentication in asp.net. But that seems wrong.
    > So, maybe someone could tell me where my thinking's gone wrong.
    >
    > Thank you very much.
    >
     
    Dominick Baier, Apr 17, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jurjen de Groot
    Replies:
    0
    Views:
    440
    Jurjen de Groot
    Jan 30, 2004
  2. Replies:
    2
    Views:
    594
    Scott Allen
    Oct 6, 2005
  3. tafs7
    Replies:
    0
    Views:
    128
    tafs7
    Apr 30, 2004
  4. thunk
    Replies:
    1
    Views:
    359
    thunk
    Mar 30, 2010
  5. thunk
    Replies:
    0
    Views:
    536
    thunk
    Apr 1, 2010
Loading...

Share This Page